This is a read-only archive of the Mumble forums.

This website archives and makes accessible historical state. It receives no updates or corrections. It is provided only to keep the information accessible as-is, under their old address.

For up-to-date information please refer to the Mumble website and its linked documentation and other resources. For support please refer to one of our other community/support channels.

Jump to content

Preventing call to trustFailureInCertificateChain


fbartolom
 Share

Recommended Posts

Hullo,

I nearly managed to inserts MumbleKit into my app by also using some parts of the MumbleIos project. Still each time a new installation is performed, the user is confronted with the warning to trust the certificate as a consequence of the call by the toolkit to trustFailureInCertificateChain. I own an ssl certificate for the server to handle https requests. May I use it or how else may I dispense of the error/warning?

Link to comment
Share on other sites

I tried putting:

sslCert=/etc/ssl/taxiprofessional_net.crt

sslKey=/etc/ssl/taxiprofessional.key


but, when I install the app anew on the device, method:

CODE: SELECT ALL

- (void) connection:(MKConnection *)conn trustFailureInCertificateChain:(NSArray *)chain


keeps on being called. How do I make sure mumble finds a valid SSL certificate chain?

Link to comment
Share on other sites

  • Moderators

Does your cert authority require an intermediate certificate? For example, StartSSL does, and it's downloadable in PEM format.


If it does, you can either just concatenate it to the end of the certificate file, or there's a specific setting to point it at the intermediate file if for some reason you don't want to append it to the end of the cert.


HTH.

Full disclosure: I used to run a commercial Mumble host, and my opinions do not reflect the opinions of the Mumble project.

Avatar is stolen from here

Link to comment
Share on other sites

Does your cert authority require an intermediate certificate? For example, StartSSL does, and it's downloadable in PEM format.


If it does, you can either just concatenate it to the end of the certificate file, or there's a specific setting to point it at the intermediate file if for some reason you don't want to append it to the end of the cert.


HTH.

That I do not actually know. The issue of certificates and their working is a bit wild for me. The key and certificate I used were direcly taken by the information in the ssl configuration for the server. I do not know if there is some other stuff there, I did all the configuration while online with Comodo staff.

Have you any idea when I might find it, what would be the name if it were in the https conf file? Of course I would rather not append it to the certificate as this one is the same used by https that could not appreciate manging with it.

Link to comment
Share on other sites

As a matter of fact I also have:

SSLCertificateChainFile /etc/ssl/ca-bundle in my httpd.conf file

where I am supposed to put it?

Should I produce the pem from that similiarly to what I do for Apple notifications and put it in the variable in the article you mentioned?

Also my certificates are not in pem format either, as they are in the httpd.conf file. Should I turn them to pem too before adding them to:

sslCert=/etc/ssl/taxiprofessional_net.crt

sslKey=/etc/ssl/taxiprofessional.key

Link to comment
Share on other sites

  • Administrators

Hi fbartolom,


Mumble expects certificates and private keys in the PEM format.


As for your intermediate certificates, there are a couple of ways to go. I'd recommend that you simply create a "combined" file that you point Murmur's sslCert option to.


The concatenated file contain the certificate chain, in PEM format, in the following order:


Leaf certificate

Intermediate certificate

Intermediate certificate

[...]

Root certificate


More technically, the file should look something like:

 

-----BEGIN CERTIFICATE----- 
(Your leaf certificate) 
-----END CERTIFICATE----- 
-----BEGIN CERTIFICATE----- 
(Your intermediate certificate) 
-----END CERTIFICATE----- 
-----BEGIN CERTIFICATE----- 
(Your intermediate certificate) 
-----END CERTIFICATE----- 
-----BEGIN CERTIFICATE----- 
(Your root certificate)
-----END CERTIFICATE-----

 

though you should be able to drop the root certificate from there -- since clients need to have it in their store to be able to verify the chain in the end. The amount of intermediate certificates also vary -- but there is typically at least one.


You might have received the intermediate certificates when you bought your certificate, for example in a ZIP file along with your leaf certificate. Or you might be able to download them form the website of your CA.


But the order above should make it work for you.

Link to comment
Share on other sites

In fact I did all that jazz at Comodo to create the ssl certificates for the https access to my web site. Now I picked those same certificate and keys and copied them in the murmur.ini directory referencing them from that file, but when I try to connect to the server with MumbleiOS I receive the usual trust message.

You may try it yourself by connecting to www.taxiprofessional.net using whatever login, the server is presently open to anyone.

Link to comment
Share on other sites

I managed this issue by including an intermediate certificate release by comodo and referencing it in the murmur.ini file. The https keys and certificate went fine, without the need to turn them to Pem or concatenate to anything.

Link to comment
Share on other sites

 Share

×
×
  • Create New...