[Gajim-devel] Re : Re : Re : PKCS12 with password

Saleem Edah-Tally nmset at yahoo.com
Tue Jul 26 21:42:25 CEST 2011 

1. Connecting an account with an encrypted PKCS12 container
**************************************************************************

It works flawlessly. The checkbox is 'checked',  a dialog pops up upon 
connection to request the container password and then connection proceeds 
successfully.


2. Connecting an account with an UNencrypted PKCS12 container
******************************************************************************

It fails constantly, a dialog appears proposing plain connection.

Err output :
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

ici
21:20:53 (W) gajim.c.x.tls_nb Unknown error while loading certificate from file 
/home/user/xmpp_lab_test.p12
21:20:53 (E) gajim.c.x.tls_nb Error while TLS handshake: 
Traceback (most recent call last):
  File "/home/user/tmp/gajim-dev/src/common/xmpp/tls_nb.py", line 423, in 
_startSSL_pyOpenSSL
    tcpsock._sslObj.do_handshake()
SysCallError: (-1, 'Unexpected EOF')
ici
ici
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////



So it seems to have created one unexpected problem if the container is not 
password protected.

Looking into tls_nb.py, I have modified line 362 as follows :

if (conn.client_cert_passphrase == None) :
        p12 = OpenSSL.crypto.load_pkcs12(open(conn.client_cert).read())
          else:
                p12 = OpenSSL.crypto.load_pkcs12(open(conn.client_cert).read(),
                    conn.client_cert_passphrase)

This way I can connect with both encrypted and unencrypted p12 containers.

Well it's all like I could imagine. I suppose it would be committed in the next 
release.

By the way, I've tested a few other XMPP clients, Gajim is the only one I've 
seen that binds an account to its own SSL credentials, and that's great.

Thank you very much.






>Ok nice, just:
>hg clone http://hg.gajim.org/gajim gajim-dev
>cd gajim-dev
>patch -p1 < cert.diff (attached)
.>/launch.sh

More information about the Gajim-devel mailing list