Preventing call to trustFailureInCertificateChain

[fbartolom]

Hullo,

I nearly managed to inserts MumbleKit into my app by also using some parts of the MumbleIos project. Still each time a new installation is performed, the user is confronted with the warning to trust the certificate as a consequence of the call by the toolkit to trustFailureInCertificateChain. I own an ssl certificate for the server to handle https requests. May I use it or how else may I dispense of the error/warning?

[fbartolom]

I tried putting:

sslCert=/etc/ssl/taxiprofessional_net.crt

sslKey=/etc/ssl/taxiprofessional.key

but, when I install the app anew on the device, method:

CODE: SELECT ALL

- (void) connection:(MKConnection *)conn trustFailureInCertificateChain:(NSArray *)chain

keeps on being called. How do I make sure mumble finds a valid SSL certificate chain?

[fwaggle]

Does your cert authority require an intermediate certificate? For example, StartSSL does, and it's downloadable in PEM format.

If it does, you can either just concatenate it to the end of the certificate file, or there's a specific setting to point it at the intermediate file if for some reason you don't want to append it to the end of the cert.

HTH.

[fbartolom]

Does your cert authority require an intermediate certificate? For example, StartSSL does, and it's downloadable in PEM format.

If it does, you can either just concatenate it to the end of the certificate file, or there's a specific setting to point it at the intermediate file if for some reason you don't want to append it to the end of the cert.

HTH.

That I do not actually know. The issue of certificates and their working is a bit wild for me. The key and certificate I used were direcly taken by the information in the ssl configuration for the server. I do not know if there is some other stuff there, I did all the configuration while online with Comodo staff.

Have you any idea when I might find it, what would be the name if it were in the https conf file? Of course I would rather not append it to the certificate as this one is the same used by https that could not appreciate manging with it.

[fbartolom]

As a matter of fact I also have:

SSLCertificateChainFile /etc/ssl/ca-bundle in my httpd.conf file

where I am supposed to put it?

Should I produce the pem from that similiarly to what I do for Apple notifications and put it in the variable in the article you mentioned?

Also my certificates are not in pem format either, as they are in the httpd.conf file. Should I turn them to pem too before adding them to:

sslCert=/etc/ssl/taxiprofessional_net.crt

sslKey=/etc/ssl/taxiprofessional.key

[mkrautz]

Hi fbartolom,

Mumble expects certificates and private keys in the PEM format.

As for your intermediate certificates, there are a couple of ways to go. I'd recommend that you simply create a "combined" file that you point Murmur's sslCert option to.

The concatenated file contain the certificate chain, in PEM format, in the following order:

Leaf certificate

Intermediate certificate

Intermediate certificate

[...]

Root certificate

More technically, the file should look something like:

 

-----BEGIN CERTIFICATE----- 
(Your leaf certificate) 
-----END CERTIFICATE----- 
-----BEGIN CERTIFICATE----- 
(Your intermediate certificate) 
-----END CERTIFICATE----- 
-----BEGIN CERTIFICATE----- 
(Your intermediate certificate) 
-----END CERTIFICATE----- 
-----BEGIN CERTIFICATE----- 
(Your root certificate)
-----END CERTIFICATE-----

 

though you should be able to drop the root certificate from there -- since clients need to have it in their store to be able to verify the chain in the end. The amount of intermediate certificates also vary -- but there is typically at least one.

You might have received the intermediate certificates when you bought your certificate, for example in a ZIP file along with your leaf certificate. Or you might be able to download them form the website of your CA.

But the order above should make it work for you.

[fbartolom]

In fact I did all that jazz at Comodo to create the ssl certificates for the https access to my web site. Now I picked those same certificate and keys and copied them in the murmur.ini directory referencing them from that file, but when I try to connect to the server with MumbleiOS I receive the usual trust message.

You may try it yourself by connecting to www.taxiprofessional.net using whatever login, the server is presently open to anyone.

[fbartolom]

I managed this issue by including an intermediate certificate release by comodo and referencing it in the murmur.ini file. The https keys and certificate went fine, without the need to turn them to Pem or concatenate to anything.