Gajim has problem with self-signed certificate

I run openfire server on VPN with a self signed certificate. I found that gajim client works generally well but with one exception: everytime I try to send file, gajim reports certificate error even though i put the self signed server certificate in the trusted certificate list on client machine. I wonder if this is a gajim problem? Anything I can do?

Have you tried with different clients? What is the behavior?

When Openfire consistently serves the same certificate, then any issue with a client that does not remember your choice to allow that certificate is very likely to be a client issue.

checked gajim site. this bug has been reported years ago but still not gets fixed.

psi seems to work fine. but gajim has feature of displaying images in converstation, better than psi.
when a file or image is transferred with gajim, it always reports, “the certificate of the site is not expected”. I actually have trusted the self signed certificate of my openfire server on the machine running gajim. Since I use own VPN, paying for a CA signed certificate is not necessary.

If you can raise that with Gajim community, perhaps one can suggest how to patch it.
Else you have to find another client.

check and test to see if you can find anything suitable!
https://xmpp.org/software/clients/

Thank you I will check if any other XMPP client will work

Gajim community seems to hold this problem for years without a valid solution. Finally I had to modify the python code to ignore the CA check error for it to work.

How did you ignore CA check
can you help me with that

Can you share the changes you made to avoid CA check

gajim version : 1.3.3 (you can download from gajim website)
open file: gajim/common/modules/httpupload.py
line 234- 235, mark it with #
However, this will ignore tls-certificate error once for all. It should be just a workaround rather than a final solution.

def _check_certificate(self, message, transfer):
    https_used, tls_certificate, tls_errors = message.get_https_status()
    if not https_used:
        self._log.warning('HTTPS was not used for upload')
        transfer.set_error('unsecure')
        self._session.cancel_message(message, Soup.Status.CANCELLED)
        return

    tls_errors = convert_tls_error_flags(tls_errors)
    if app.cert_store.verify(tls_certificate, tls_errors):
        return

    for error in tls_errors:
        phrase = get_tls_error_phrase(error)
        self._log.warning('TLS verification failed: %s', phrase)

    # transfer.set_error('tls-verification-failed', phrase)
    # self._session.cancel_message(message, Soup.Status.CANCELLED)

Thanks for the reply
but it did not solve the problem
it stills gives SSL verification error(signing certificate authority is not known)
I am trying to connect gajim through my ejabberd server with ip instead of domain

@russrao
Can I also have your contact if you dont mind
whatsapp or email

It seems your error is not what I had. Mine was “the cerficiate does not match the conent of the site”.
I also use ip as FQDN, but my ip is LAN address started with 172.xx.xx.xx. I run the xmpp client and server over VPN. Is your IP a public address or LAN?

I don’t have Whatsapp. You may write to me at russ.rao@outlook.com

When did you error occur, on logging in or sending file?

I have had a brief chat with one of the community members of Gajim. They showed me that Gajim does work with self-signed certificates, as long as the certificate is valid for both the XMPP domain as well as the webhost used for HTTP file upload. In Openfire’s case, that is likely the same name that you use to access the admin console.

Thank you for the message. Actually I have followed the dialog you kindly showed at Gajim site a few weeks ago and found it did not work. Or, there is some message that was not clearly explained in that thread. I actually left a post in that thread asking for more information but got no answer. That is why i have to disable their ssl cert check code in httpupload as a final approach. Again, thanks for the sharing.

Have you tried installing Openfire on a server and configure the same value for the Openfire Domain and the Fully Qualified Domain Name of the server? Openfire will try to auto-detect the FQDN, but you can also change it during setup.

For self-signed certificates to work, you need these two to be the same.

Note that in the screenshot below, they are not the same (but that server does not use a self-signed certificate, so that’s not a problem there).

image980×595 73.3 KB

I think you have pinned the root cause. I deployed openfire on VPN and do not have a DNS name. My FQDN is my ip address 172.xx.xx.xx. My XMPP domain name is my machine name “raspberrypi”. I tried to change my FQDN to “raspberrypi” but it won’t allow me to do such change.

It is best to always use ‘proper’ network names instead of IP addresses. Within a local network, your hostname will probably do (although it’s better to use a fully qualified domain name).

For existing servers, it is unwise to change the XMPP domain name (as this will change the JIDs of all of your users. Changing the FQDN should be easy: you can either do it in the openfire.xml file (requires a restart of Openfire) or by using the ‘server props’ page in the admin console (on URL /server-props.jsp). That most likely also requires a restart of Openfire for the change to take effect.