TLS Certificate Trust

[sindastra]

Some servers use "Let's Encrypt" for their certificate. This means the certificate changes about every 3 months. While the certificate is valid, I have to manually trust every new certificate anyway. This defeats the whole point of a certificate authority.

I propose that ChatSecure should simply check if the certificate is valid, instead of having to be manually verified, as is standard.

Edit:

This issue is about TLS Certificate Trust in general, it does not only affect Let's Encrypt. I merely used Let's Encrypt as an example, as it needs to be renewed every three months and thus makes it more noticeable with Let's Encrypt than others. But certificates from any CA are affected by this.

[kmq]

If my understandig of this issue is correct, ChatSecure Pins to the key of the certificate, so you can re-new the LE certificate if you do not change they key you are using to request it.

This is what I do, and it works.

[sindastra]

@kmq The server is out of my control. They probably use some script to auto-renew, as the key changes too. If I'm not mistaken, isn't it default by certbot to generate new keys? Either way, nothing I can do about someone else's server. This is why a change on the client's behavior is needed (or an option to choose what it should do).

[ghost]

I've never encountered the issue you describe; and I've used many servers out of my control over the years. So I'm unable to offer you a direct solution. However, Let's Encrypt will become their own CA (yay!) at the end of this month after IdentTrust cross signing each cert they've issued since their very beginnings. That said, I'm hoping to see longer issues on the leaf certs they issue. It's not a requirement they do so, but it's a definite possibility once they've full control of the certs they issue.

[mimi89999]

I will write a PR that makes certificate pinning optional after my final exams. I haven't decided whether ti should be per account or global yet: https://github.com/ChatSecure/ChatSecure-iOS/pull/1072#issuecomment-444563048 (and following comments).

Also, I stopped counting duplicates of this issue. There are so many...

[gdt]

I am seeing this too. I run my own XMPP server, and run certbot in a pretty default setup. An iOS gets a popup -- which breaks message delivery -- every time the cert is updated. It might be fair to require confirmation after a CA change, but a new cert (and new key) from the same CA should not cause trouble. Arguably the default should be to follow pkix validation rules, but I can see the point that more paranoia is warranted. However, objecting to a new LE cert replacing the old LE cert is not useful, and will lead people to look for a new client.

[gdt]

@sindastra Please retitle the issue to be "Renewed LE certificates are objected to, breaking message delivery".

[sindastra]

@gdt This issue is about TLS Certificate Trust in general, it does not only affect Let's Encrypt. I merely used Let's Encrypt as an example, as it needs to be renewed every three months and thus makes it more noticeable with Let's Encrypt than others. But certificates from any CA are affected by this.

[gdt]

@sindastra Perfectly OK to leave out LE, but "TLS Certificate Trust" is not a concise description of the problem. So how about "Renewed certificates (from the same CA, perhaps with a new key) are objected to, breaking message delivery"?