[jitsi-dev] IRC & SSL


#1

Hey Danny

The IRC protocol doesn't set its status to UNREGISTERED/REASON_USER_REQUEST
when a user clicks cancel on a certificate validation error. Consequently
the reconnect plugin tries again and the popup comes up again. This
shouldn't happen.

Could you please take a look?

Thanks,
Ingo


#2

Hey Ingo,

This should be fixed now.
Could you have another look to see if the reconnect plugin now leaves
the account alone?

I tried to reproduce earlier and the reconnect plugin didn't seem to
kick in, I think. I'm not sure what that was about, may be something I
did, juggling with enabled/disabled accounts and such.

Danny

···

On 16-11-14 17:51, Ingo Bauersachs wrote:

Hey Danny

The IRC protocol doesn't set its status to UNREGISTERED/REASON_USER_REQUEST
when a user clicks cancel on a certificate validation error. Consequently
the reconnect plugin tries again and the popup comes up again. This
shouldn't happen.

Could you please take a look?

Thanks,
Ingo

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev


#3

This should be fixed now.
Could you have another look to see if the reconnect plugin now leaves
the account alone?

It does. Thank you!
And it's a shame that Freenode doesn't deliver the complete certificate
chain so validation could actually succeed...

I tried to reproduce earlier and the reconnect plugin didn't seem to
kick in, I think. I'm not sure what that was about, may be something I
did, juggling with enabled/disabled accounts and such.

It takes a little while and if you're debugging you're not that likely to
notice it.

Danny

Ingo


#4

Hi Ingo,

I stumbled on this message while looking for another one. Got a remark,
see below.

This should be fixed now.
Could you have another look to see if the reconnect plugin now leaves
the account alone?

It does. Thank you!
And it's a shame that Freenode doesn't deliver the complete certificate
chain so validation could actually succeed...

Are you referring to the certificate verification dialog popping up?
That does not need to happen for Freenode servers. You have to use
chat.freenode.net though. That's the host name registered in the
certificate. Did you use chat.freenode.net?

Danny

···

On 22-11-14 12:59, Ingo Bauersachs wrote:

I tried to reproduce earlier and the reconnect plugin didn't seem to
kick in, I think. I'm not sure what that was about, may be something I
did, juggling with enabled/disabled accounts and such.

It takes a little while and if you're debugging you're not that likely to
notice it.

Danny

Ingo

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev


#5

This should be fixed now.
Could you have another look to see if the reconnect plugin now leaves
the account alone?

It does. Thank you!
And it's a shame that Freenode doesn't deliver the complete certificate
chain so validation could actually succeed...

Are you referring to the certificate verification dialog popping up?
That does not need to happen for Freenode servers. You have to use
chat.freenode.net though. That's the host name registered in the
certificate. Did you use chat.freenode.net?

No, irc.freenode.net. But that doesn't matter, they use a wildcard
certificate from Gandi, which is signed by UTN-USERFirst, which is signed by
USERTrust. However, UTN-USERFirst is not in the delivered certificate chain
and thus causes a broken PKIX path. Windows' CAPI is intelligent enough to
find the missing intermediary certificate by following AIA field in the
Gandi cert and build a proper path, Java's PKIX builder however is not.

We have a workaround in the CertificateService that tries very primitively
to load missing intermediary certificates, but it only kicks in when the
server only delivers one single certificate that is not self-signed.

Danny

Ingo

···

On 22-11-14 12:59, Ingo Bauersachs wrote: