[jitsi-dev] Security warnings


#1

I've setup an XMPP server running OpenFire, and I'm testing connecting,
chatting, etc on it using Jitsi.

I'm noticing a few issues. First, when I first connect to the account, I
get a message talking about TLS certificate not being valid, and whether to
continue anyway.

Then, if I do a desktop sharing or audio call, the call is 'locally put on
hold' and one of the parties has to un-hold the call manually before it can
go through.

Then, I see errors about 'A severe ZRTP problem was detected, your call is
not secure'.

What can I do to secure the server, so that these errors are not generated?

If setting up an SSL is required, is it possible to temporarily disable
these security checks?

Thanks.


#2

I've setup an XMPP server running OpenFire, and I'm testing connecting,
chatting, etc on it using Jitsi.

I'm noticing a few issues. First, when I first connect to the account, I get
a message talking about TLS certificate not being valid, and whether to
continue anyway.

Openfire installs self-signed certificates by default. If you haven't changed them, then this is expected behavior.

Then, if I do a desktop sharing or audio call, the call is 'locally put on
hold' and one of the parties has to un-hold the call manually before it can
go through.

This is not normal. Are you testing with two accounts in the same instance of Jitsi? If so, this won't work. If you use two instances on the same computer, at least use different configuration directories (use the command line argument --config-dir=somedir for that).

Then, I see errors about 'A severe ZRTP problem was detected, your call is
not secure'.

See above, this is likely because two instances use the same config dir.

What can I do to secure the server, so that these errors are not generated?

Get a valid certificate for Openfire and use two computers to test.

If setting up an SSL is required, is it possible to temporarily disable these
security checks?

You can disable TLS in Openfire and disable Jitsi to require a secure connection. But don't do that.

Thanks.

Ingo


#3

Thanks for the help Ingo, I was indeed using the same computer. That
must've been the cause.

Can you tell me though, what config directory is used by default? I'm on
Linux, and using IntelliJ to run the program. I tried to add some
properties in resources/default.properties , such as to disable the
Simpleaccreg plugin, however they didn't seem to take effect. Where is the
.properties file located that its reading from?

···

On Tue, Dec 2, 2014 at 12:03 PM, Ingo Bauersachs <ingo@jitsi.org> wrote:

> I've setup an XMPP server running OpenFire, and I'm testing connecting,
> chatting, etc on it using Jitsi.
>
> I'm noticing a few issues. First, when I first connect to the account, I
get
> a message talking about TLS certificate not being valid, and whether to
> continue anyway.

Openfire installs self-signed certificates by default. If you haven't
changed them, then this is expected behavior.

> Then, if I do a desktop sharing or audio call, the call is 'locally put
on
> hold' and one of the parties has to un-hold the call manually before it
can
> go through.

This is not normal. Are you testing with two accounts in the same instance
of Jitsi? If so, this won't work. If you use two instances on the same
computer, at least use different configuration directories (use the command
line argument --config-dir=somedir for that).

> Then, I see errors about 'A severe ZRTP problem was detected, your call
is
> not secure'.

See above, this is likely because two instances use the same config dir.

> What can I do to secure the server, so that these errors are not
generated?

Get a valid certificate for Openfire and use two computers to test.

> If setting up an SSL is required, is it possible to temporarily disable
these
> security checks?

You can disable TLS in Openfire and disable Jitsi to require a secure
connection. But don't do that.

> Thanks.

Ingo

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev


#4

Thanks for the help Ingo, I was indeed using the same computer. That must've
been the cause.

Can you tell me though, what config directory is used by default?

https://jitsi.org/Documentation/FAQ#conf

Append -Dnet.java.sip.communicator.SC_HOME_DIR_NAME=Jitsi-dev to your JVM args to change the directory from within your IDE.

I'm on
Linux, and using IntelliJ to run the program. I tried to add some properties
in resources/default.properties , such as to disable the Simpleaccreg plugin,
however they didn't seem to take effect. Where is the .properties file
located that its reading from?

jitsi-defaults.properties or jitsi-default-overrides.properties (the latter won't be changed by us).

Ingo


#5

The file seems to be jitsi-defaults.properties . Thanks.

···

On Tue, Dec 2, 2014 at 3:35 PM, Ali Akhtar <ali.rac200@gmail.com> wrote:

Thanks for the help Ingo, I was indeed using the same computer. That
must've been the cause.

Can you tell me though, what config directory is used by default? I'm on
Linux, and using IntelliJ to run the program. I tried to add some
properties in resources/default.properties , such as to disable the
Simpleaccreg plugin, however they didn't seem to take effect. Where is the
.properties file located that its reading from?

On Tue, Dec 2, 2014 at 12:03 PM, Ingo Bauersachs <ingo@jitsi.org> wrote:

> I've setup an XMPP server running OpenFire, and I'm testing connecting,
> chatting, etc on it using Jitsi.
>
> I'm noticing a few issues. First, when I first connect to the account,
I get
> a message talking about TLS certificate not being valid, and whether to
> continue anyway.

Openfire installs self-signed certificates by default. If you haven't
changed them, then this is expected behavior.

> Then, if I do a desktop sharing or audio call, the call is 'locally put
on
> hold' and one of the parties has to un-hold the call manually before it
can
> go through.

This is not normal. Are you testing with two accounts in the same
instance of Jitsi? If so, this won't work. If you use two instances on the
same computer, at least use different configuration directories (use the
command line argument --config-dir=somedir for that).

> Then, I see errors about 'A severe ZRTP problem was detected, your call
is
> not secure'.

See above, this is likely because two instances use the same config dir.

> What can I do to secure the server, so that these errors are not
generated?

Get a valid certificate for Openfire and use two computers to test.

> If setting up an SSL is required, is it possible to temporarily disable
these
> security checks?

You can disable TLS in Openfire and disable Jitsi to require a secure
connection. But don't do that.

> Thanks.

Ingo

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev