Linphone does not offer acceptance of unknown TLS certificate (Bounty)

[kobaz]

Similar to BelledonneCommunications/linphone-desktop#323
But for Android!

Will pay a reasonable bounty to fix:

SIP Server utilizes self-signed certificate or other 'unrecognized certificate' like LetsEncrypt
Linphone attempts TLS connection to server
Linphone fails to register

Bounty payable when this is available in the downloadable app via Google Play Store

Expected Behavior:
1- Warn user about unrecognized certificate
2- User is able to accept and trust certificate and connect
3-Warn user if remote certificate changes in the future, and proceed to step 1

Bonus: Ability to include trusted certificates in remote provision xml file

[Viish]

Hi,
If this is something you really need, you can contact our sales department ([email protected]) and we'll send you a quotation.
Cheers,

[sercangoger]

@Viish
hello, can you contact me via this e-mail?
I have problem with TLS. but no one responds to the issues on the flexisip side. can you help?
[email protected]

[Viish]

Hi @sercan447, sorry but I don't do direct email support.
If you can't wait for someone to take a look at the issues on github, you can contact our company for a quotation for a support or a dev-assist contract.

[mwarning]

Hi, I have implemented such stuff here for a different App:
https://github.com/mwarning/trigger/blob/master/app/src/main/kotlin/app/trigger/https/HttpsRequestHandler.kt#L48

There are settings to

• use custom server / client certificate
• Ignore Certificate Validity
• Disable Certificate Hostname Check (if the hostname does not match, e.g. when IP addresses are used)
• Disable Certificate Date Check (if the cert is expired)

Take what you need. The licenses are compatible anyway.

[intellasoft]

Oh wow. Spectacular.

This would be create to create a PR for. Linphone mainline is definitely lacking this sort of thing.

[waleedtalha]

You can just add this check verify_server_certs = 0 in linphonerc_default file that will be in assets of linphone project. This check will disable the certificate verification on client side and then TLS will be configured. Now the certificate verifcation will only be on server side.

[kobaz]

The problem with this is now you're completely ignoring any kind of verification. And if the server certificate changes suddenly, the client will have no idea.

Ad-hoc per-certificate allow is the preferred method across the board. (Web browsers do this)

[fhsiao]

You can just add this check verify_server_certs = 0 in linphonerc_default file that will be in assets of linphone project. This check will disable the certificate verification on client side and then TLS will be configured. Now the certificate verifcation will only be on server side.

Is it expected to work for android version linphone installed from the play store by providing a remote configuration file named as linephonerc_default such as http://192.168.1.2/linphonerc_default? It does not work for me at this point. Maybe something else needs to be provided such as HTTPS with a bundle cert that linphone accepts or a different file name?

Thank you!!