[jitsi-dev] Problems with two accounts (including Google Talk) and ZRTP


#1

For testing purposes I use two external XMPP accounts on one maschine
with Jitsi running: one of them is a Google Talk account.

There are two problems.

1. When I use the other account to call the Google Talk account I see an
authentication dialog for the Google Talk account although I am already
logged in.

2. After authenticating the phone rings but after accepting the call I
see (and hear) a notice that there is a ZRTP problem. I can then talk to
myself unencrypted.

Cheers,
Andreas


#2

Hello,

I dont know if using 2 accounts on the same machine doesnt really help in testing.
Try 2 different machines, that is a real test.

···

On 28 May 2011 09:27:12 +0200 "Andreas Kuckartz" <A.Kuckartz@ping.de> wrote:

For testing purposes I use two external XMPP accounts on one maschine
with Jitsi running: one of them is a Google Talk account.

There are two problems.

1. When I use the other account to call the Google Talk account I see an
authentication dialog for the Google Talk account although I am already
logged in.

2. After authenticating the phone rings but after accepting the call I
see (and hear) a notice that there is a ZRTP problem. I can then talk to
myself unencrypted.

Cheers,
Andreas

--
O zi buna,

Kertesz Laszlo


#3

If it is not possible to communicate between two accounts using one
machine with Jitsi I do not expect that to work using two machines.

I sent the mail to the mailing list because this behavior to me seems to
indicate bugs and I intend to create entries in the issue tracker.

Cheers,
Andreas

···

---

Am 28.05.2011 09:41, schrieb Kertesz Laszlo:

On 28 May 2011 09:27:12 +0200 > "Andreas Kuckartz" <A.Kuckartz@ping.de> wrote:

For testing purposes I use two external XMPP accounts on one maschine
with Jitsi running: one of them is a Google Talk account.

There are two problems.

1. When I use the other account to call the Google Talk account I see an
authentication dialog for the Google Talk account although I am already
logged in.

2. After authenticating the phone rings but after accepting the call I
see (and hear) a notice that there is a ZRTP problem. I can then talk to
myself unencrypted.

Cheers,
Andreas

Hello,

I dont know if using 2 accounts on the same machine doesnt really help in testing.
Try 2 different machines, that is a real test.


#4

Hey Andreas,

На 30.05.11 11:56, Andreas Kuckartz написа:

If it is not possible to communicate between two accounts using one
machine with Jitsi I do not expect that to work using two machines.

Do you mean two accounts running on the same Jitsi instance? If so this
will indeed fail with a security warning. Please use separate machines
or, at the very least, separate Jitsi instances running in different
configuration directories.

I sent the mail to the mailing list because this behavior to me seems to
indicate bugs and I intend to create entries in the issue tracker.

Most applications (like Skype or Windows Live) won't allow an instance
to even initiate a call with itself so we don't consider this a
prioritary issue. If you are willing contribute a simple patch that
provides an elegant solution, then fine. Otherwise we'd prefer to keep
this off our list (even if it means that our conversations with
ourselves may be eavesdropped on).

Cheers,
Emil

···

Cheers,
Andreas
---

Am 28.05.2011 09:41, schrieb Kertesz Laszlo:

On 28 May 2011 09:27:12 +0200 >> "Andreas Kuckartz" <A.Kuckartz@ping.de> wrote:

For testing purposes I use two external XMPP accounts on one maschine
with Jitsi running: one of them is a Google Talk account.

There are two problems.

1. When I use the other account to call the Google Talk account I see an
authentication dialog for the Google Talk account although I am already
logged in.

2. After authenticating the phone rings but after accepting the call I
see (and hear) a notice that there is a ZRTP problem. I can then talk to
myself unencrypted.

Cheers,
Andreas

Hello,

I dont know if using 2 accounts on the same machine doesnt really help in testing.
Try 2 different machines, that is a real test.

--
Emil Ivov, Ph.D. 67000 Strasbourg,
Project Lead France
Jitsi
emcho@jitsi.org PHONE: +33.1.77.62.43.30
http://jitsi.org FAX: +33.1.77.62.47.31


#5

Hello Emil,

Most applications (like Skype or Windows Live) won't allow an instance
to even initiate a call with itself so we don't consider this a
prioritary issue. If you are willing contribute a simple patch that
provides an elegant solution, then fine. Otherwise we'd prefer to keep
this off our list (even if it means that our conversations with
ourselves may be eavesdropped on).

Well, I see this as a matter of robustness (which should be resolvable
elegantly :slight_smile:

Is it likely a Google Talk specific effect or more general? I do not yet
know enough about the structure of Jitsi.

When the ZRTP error notice appears I see this in the log:

12:36:51.092 INFO:
impl.protocol.jabber.OperationSetDesktopSharingClientJabberImpl.addRemoteControlListener().98
Enable remote control
12:36:51.106 INFO:
impl.googlecontacts.GoogleContactsSourceService.getConnection().260
GoogleContacts connection error
java.lang.NullPointerException
        at
com.google.gdata.util.common.base.PercentEscaper.escape(PercentEscaper.java:185)
        at
com.google.gdata.client.GoogleAuthTokenFactory.makePostRequest(GoogleAuthTokenFactory.java:545)
        at
com.google.gdata.client.GoogleAuthTokenFactory.getAuthToken(GoogleAuthTokenFactory.java:487)
        at
com.google.gdata.client.GoogleAuthTokenFactory.setUserCredentials(GoogleAuthTokenFactory.java:346)
        at
com.google.gdata.client.GoogleService.setUserCredentials(GoogleService.java:362)
        at
com.google.gdata.client.GoogleService.setUserCredentials(GoogleService.java:317)
        at
com.google.gdata.client.GoogleService.setUserCredentials(GoogleService.java:301)
        at
net.java.sip.communicator.impl.googlecontacts.GoogleContactsConnectionImpl.connect(GoogleContactsConnectionImpl.java:123)
        at
net.java.sip.communicator.impl.googlecontacts.GoogleContactsSourceService.getConnection(GoogleContactsSourceService.java:220)
        at
net.java.sip.communicator.impl.googlecontacts.GoogleContactsQuery.run(GoogleContactsQuery.java:210)
        at
net.java.sip.communicator.service.contactsource.AsyncContactQuery$1.run(AsyncContactQuery.java:222)

I did not find "zrtp" anywhere in the log. I had expected to find the
text of the notice somewhere in there.

Cheers,
Andreas


#6

На 30.05.11 12:58, Andreas Kuckartz написа:

Hello Emil,

Most applications (like Skype or Windows Live) won't allow an instance
to even initiate a call with itself so we don't consider this a
prioritary issue. If you are willing contribute a simple patch that
provides an elegant solution, then fine. Otherwise we'd prefer to keep
this off our list (even if it means that our conversations with
ourselves may be eavesdropped on).

Well, I see this as a matter of robustness (which should be resolvable
elegantly :slight_smile:

Is it likely a Google Talk specific effect or more general?

It is related to the ZRTP engine and the fact that your correspondant
has the same ZID as yourself, which, unless you are calling yourself is
a problem.

If Werner has a minute, he'll be able to describe the reasoning a lot
better than myself, but I suppose it has something to do with the
protectability of your conversation when both sides are using identical
keys.

I do not yet
know enough about the structure of Jitsi.

When the ZRTP error notice appears I see this in the log:

I don't think this is related. It's simply a (most likely temporary)
problem with google contacts.

Cheers,
Emil

···

12:36:51.092 INFO:
impl.protocol.jabber.OperationSetDesktopSharingClientJabberImpl.addRemoteControlListener().98
Enable remote control
12:36:51.106 INFO:
impl.googlecontacts.GoogleContactsSourceService.getConnection().260
GoogleContacts connection error
java.lang.NullPointerException
        at
com.google.gdata.util.common.base.PercentEscaper.escape(PercentEscaper.java:185)
        at
com.google.gdata.client.GoogleAuthTokenFactory.makePostRequest(GoogleAuthTokenFactory.java:545)
        at
com.google.gdata.client.GoogleAuthTokenFactory.getAuthToken(GoogleAuthTokenFactory.java:487)
        at
com.google.gdata.client.GoogleAuthTokenFactory.setUserCredentials(GoogleAuthTokenFactory.java:346)
        at
com.google.gdata.client.GoogleService.setUserCredentials(GoogleService.java:362)
        at
com.google.gdata.client.GoogleService.setUserCredentials(GoogleService.java:317)
        at
com.google.gdata.client.GoogleService.setUserCredentials(GoogleService.java:301)
        at
net.java.sip.communicator.impl.googlecontacts.GoogleContactsConnectionImpl.connect(GoogleContactsConnectionImpl.java:123)
        at
net.java.sip.communicator.impl.googlecontacts.GoogleContactsSourceService.getConnection(GoogleContactsSourceService.java:220)
        at
net.java.sip.communicator.impl.googlecontacts.GoogleContactsQuery.run(GoogleContactsQuery.java:210)
        at
net.java.sip.communicator.service.contactsource.AsyncContactQuery$1.run(AsyncContactQuery.java:222)

I did not find "zrtp" anywhere in the log. I had expected to find the
text of the notice somewhere in there.

Cheers,
Andreas

--
Emil Ivov, Ph.D. 67000 Strasbourg,
Project Lead France
Jitsi
emcho@jitsi.org PHONE: +33.1.77.62.43.30
http://jitsi.org FAX: +33.1.77.62.47.31


#7

The ZID is fixed ("GNUZRTP4J.zid") in this file:
https://svn.java.net/svn/jitsi~svn/trunk/src/net/java/sip/communicator/impl/neomedia/ZrtpControlImpl.java

Maybe a different ZID per instance of ZrtpControlImpl would solve that
problem but I did not yet have a closer look.

Especially relevant here is section 4.9 ("ZID and Cache Operation") of
RFC 6189
http://zfoneproject.com/docs/ietf/rfc6189.html#CacheOperation
https://tools.ietf.org/html/rfc6189#page-41

···

Am 30.05.2011 13:06, schrieb Emil Ivov:

It is related to the ZRTP engine and the fact that your correspondant
has the same ZID as yourself, which, unless you are calling yourself is
a problem.

***

The GoogleContacts connection error is not temporary. I get it
consistently since I started by tests last week.

Cheers,
Andreas


#8

Hi Andreas,

···

Le 30/05/11 16:14, Andreas Kuckartz a écrit :

***
The GoogleContacts connection error is not temporary. I get it
consistently since I started by tests last week.

We will look at this issue this week if we have time or next week.

Regards,
--
Seb

Cheers,
Andreas


#9

На 30.05.11 16:14, Andreas Kuckartz написа:

···

Am 30.05.2011 13:06, schrieb Emil Ivov:

It is related to the ZRTP engine and the fact that your correspondant
has the same ZID as yourself, which, unless you are calling yourself is
a problem.

The ZID is fixed ("GNUZRTP4J.zid") in this file:
https://svn.java.net/svn/jitsi~svn/trunk/src/net/java/sip/communicator/impl/neomedia/ZrtpControlImpl.java

Maybe a different ZID per instance of ZrtpControlImpl would solve that
problem but I did not yet have a closer look.

I believe ZIDs are supposed to stay the same or else users would have to
check the SAS on every call.

Emil


#10

Yes, the ZID should not change or a new one must somehow be related to
the old one.

I would be satisfied when the error message would indicate the reason
why ZRTP does not work and I now think that this would be a better solution.

Cheers,
Andreas

···

---

Am 31.05.2011 14:14, schrieb Emil Ivov:

На 30.05.11 16:14, Andreas Kuckartz написа:

Am 30.05.2011 13:06, schrieb Emil Ivov:

It is related to the ZRTP engine and the fact that your correspondant
has the same ZID as yourself, which, unless you are calling yourself is
a problem.

The ZID is fixed ("GNUZRTP4J.zid") in this file:
https://svn.java.net/svn/jitsi~svn/trunk/src/net/java/sip/communicator/impl/neomedia/ZrtpControlImpl.java

Maybe a different ZID per instance of ZrtpControlImpl would solve that
problem but I did not yet have a closer look.

I believe ZIDs are supposed to stay the same or else users would have to
check the SAS on every call.

Emil


#11

To quote from section 4.9 ("ZID and Cache Operation") of RFC 6189:

"However, it is specifically not precluded for an implementation to use
multiple ZIDs, up to the limit of a separate one per callee. This then
turns it into a long-lived "association ID" that does not apply to any
other associations between a different pair of parties."
http://zfoneproject.com/docs/ietf/rfc6189.html#CacheOperation

But as I wrote the mail before, I think that an informative error
message would be ok.

Cheers,
Andreas

···

---

Am 31.05.2011 14:14, schrieb Emil Ivov:

I believe ZIDs are supposed to stay the same or else users would have

to check the SAS on every call.


#12

На 31.05.11 21:49, Andreas Kuckartz написа:

But as I wrote the mail before, I think that an informative error
message would be ok.

We're already showing a popup when this happens (attached).

Aren't you seeing this (or a variation of it)?

Emil


#13

Hi all,

I just got the emails and read thru the thread: the current ZRTP implementation
uses _one_ ZID per (Jitsi + user id). The file that stores the ZID and all
other cacheable information is located in "GNUZRTP4J.zid" which is in the
.sip_communicator subdir, usually loacted in a user's HOME directory.

If you use _one_ Jitsi instance, and this implies one user, then ZRTP
does not work. Using the same ZID for sender and receiver is explicitly
forbidden according to RFC 6189. The ZRTP implementation checks this and
returns an error code which leads to the warning that Emil already mentioned
in another email.

The problem with these warning windows/pop-ups (seems a generic Jitsi problem):
they appear (at least in my KDE environment) on the taskbar or just above the taskbar
at the Jitsi logo. Sometimes the text is bearly readable and the window disapears
without any user action/confirmation. This was the behaviour some time ago.
IMHO this sort of Error messages should use a popoup window and ask the use
for confirmation (Alert window). Sometime ago this was the case, then these Error
messages went to the taskbar. I need to re-check if this behaviour is still the same.

Best regards,
Werner

···

Am 31.05.2011 21:49, schrieb Andreas Kuckartz:

To quote from section 4.9 ("ZID and Cache Operation") of RFC 6189:

"However, it is specifically not precluded for an implementation to use
multiple ZIDs, up to the limit of a separate one per callee. This then
turns it into a long-lived "association ID" that does not apply to any
other associations between a different pair of parties."
http://zfoneproject.com/docs/ietf/rfc6189.html#CacheOperation

But as I wrote the mail before, I think that an informative error
message would be ok.

Cheers,
Andreas
---

Am 31.05.2011 14:14, schrieb Emil Ivov:

I believe ZIDs are supposed to stay the same or else users would have

to check the SAS on every call.


#14

There is a problem with the notifications / popups.

Depending on the Pop-Up option the notification text shown is
incomplete. After I changed the Pop-Up option from "Auto" to
"freedesktop.org Desktop-Benachrichtigungen" I can see the complete
text. But when I use "Auto" (the default) or "Jitsi Pop-Ups" the text is
not completely shown: two lines are shown and the last words are cut off.

I also failed to find the text of the notification in the log.

Cheers,
Andreas

···

---

Am 01.06.2011 13:09, schrieb Emil Ivov:

На 31.05.11 21:49, Andreas Kuckartz написа:

But as I wrote the mail before, I think that an informative error
message would be ok.

We're already showing a popup when this happens (attached).

Aren't you seeing this (or a variation of it)?

Emil


#15

На 04.06.11 18:11, Werner Dittmann написа:

The problem with these warning windows/pop-ups (seems a generic Jitsi problem):
they appear (at least in my KDE environment) on the taskbar or just above the taskbar
at the Jitsi logo. Sometimes the text is bearly readable and the window disapears
without any user action/confirmation. This was the behaviour some time ago.
IMHO this sort of Error messages should use a popoup window and ask the use
for confirmation (Alert window).

Agreed. We'll try to fix this for ZRTP in particular and move ZRTP
errors to the call dialog.

Emil


#16

An addition:

Sometimes German language notifications are shown with at most three
lines of text. But sometimes the text does not fit in these three lines
(German text generally is longer than corresponding English text).

Cheers,
Andreas

···

---

Am 03.06.2011 07:58, schrieb Andreas Kuckartz:

There is a problem with the notifications / popups.

Depending on the Pop-Up option the notification text shown is
incomplete. After I changed the Pop-Up option from "Auto" to
"freedesktop.org Desktop-Benachrichtigungen" I can see the complete
text. But when I use "Auto" (the default) or "Jitsi Pop-Ups" the text is
not completely shown: two lines are shown and the last words are cut off.

I also failed to find the text of the notification in the log.

Cheers,
Andreas
---

Am 01.06.2011 13:09, schrieb Emil Ivov:

На 31.05.11 21:49, Andreas Kuckartz написа:

But as I wrote the mail before, I think that an informative error
message would be ok.

We're already showing a popup when this happens (attached).

Aren't you seeing this (or a variation of it)?

Emil