[jitsi-dev] SSL errors when connecting from Windows Jitsi but no other client


#1

Basically Jitsi uses the trusted certificates of Windows, which would most
probably validate the Comodo CA. Your server then needs to deliver the
actual certificate and any intermediates (i.e. the entire chain, except the
root) and it must be issued to one of (as CN or as SubjectAltName):
- example.org
- *.example.org
- _xmpp-client.example.org

The SRV-record and the actual hostname are irrelevant for the certificate
checking process.

As it even works on Windows XP, I assume this is okay on the server. The
only option I could imagine then is that your specific Windows 7
installation doesn't recognize the Comodo CA as a trusted CA. This can AFAIK
happen when the system is a fresh installation and you haven't surfed to any
SSL secured websites with either Internet Explorer, Chrome or another
application that correctly uses the CAPI. Unfortunately the JRE doesn't use
the Windows API correctly and then fails the validation instead of
downloading the CA automatically.

Can you try surfing to any website that has a Comodo CA issued certificate
with IE and try again?

Ingo

···

-----Original Message-----
From: dev-bounces@jitsi.org [mailto:dev-bounces@jitsi.org] On Behalf Of
gerpder@openmailbox.org
Sent: Mittwoch, 11. Juni 2014 18:46
To: dev@jitsi.org
Subject: [jitsi-dev] SSL errors when connecting from Windows Jitsi but no
other client

Hello Devs

I am having from problems with the Jitsi client and SSL certificates which
appears to be a bug in Jitsi when using Windows 7

Can anyone suggest a solution?

Background
-----------

I run a prosody server (0.94) on Ubuntu. This has been checked against
xmpp.net for both s2s and c2s connections and shows no errors.

- The host running prosody is called: xmpp.example.org
- Prosody is set up with a wildcard certificate from Comodo
- I have a SRV record which points:
   _xmpp-client._tcp.example.org. 1800 IN SRV 0 5 5222 xmpp.example.org
- users connect with their account: test@example.org

Issue
------

If I use Windows 7 and Jitsi 2.4(.4997) with JRE 7u55 or 7u60, I get
certificate errors

   Jitsi can't verify the identity of the server when connecting to
   example.org, _xmpp-client.example.org

This seems to be an error with Jitsi and Windows 7 as I have successfully
connected to the prosody server with the user "test@example.org" using the
following clients, none of which give
errors:

- windows 7/ pidgin 2.10.9
- windows 7/ gajim 0.16rc1
- windows xp / jitsi 2.4 (with jre 7u55 and 7u60)
- ubuntu / gajim 0.16rc1
- ubuntu / jitsi 2.5

[NOTE: I have replaced all host and domain names for privacy reasons, this
in no way changes the outcome]

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev


#2

Your server then needs to deliver the
actual certificate and any intermediates (i.e. the entire chain, except the
root) and it must be issued to one of (as CN or as SubjectAltName):
- example.org
- *.example.org
- _xmpp-client.example.org

Yes, it is for CN of *.example.org and a SAN of example.org. The cert also servers up https as well as xmpp, the https does not display any errors.

The SRV-record and the actual hostname are irrelevant for the certificate
checking process.

Yes, I mention it as the error hints at it.

This can AFAIK
happen when the system is a fresh installation and you haven't surfed to any
SSL secured websites with either Internet Explorer, Chrome or another
application that correctly uses the CAPI.

IE would never have been used on these systems, only Mozilla Firefox

Can you try surfing to any website that has a Comodo CA issued certificate
with IE and try again?

So doing that on the systems (two so far) and going to www.example.org and comodo.com results in the same error.

I did connect to www.example.org on a windows 7/IE (with no jre installed?! did not know that was possible) than never had jitsi, then installed jitsi and it worked fine. Of course this may not be a conclusive test as I can't go back and try with out the visit to the websites with comodo certs

···

On 2014-06-11 13:06, Ingo Bauersachs wrote:


#3

Jitsi comes with its own private JRE, so you don't need to have one
installed on the system. If the certificate works on a system where you've
been to comodo.com (or similar) then, it is very likely that the Comodo
certificate has been downloaded there and added to the trusted cert store,
while it has not (or has been purposely removed) on the system where it
doesn't work.

You could switch to Java's own certificate store, but as this is only
updated with a new Jitsi AND JRE version, I would advise not to use it.

To further search for what happens, you could enable the CAPI logging in
Windows' event viewer and see if or why the download of a CA cert fails.
Other than that, I cannot recommend anything else.

Ingo

PS: sorry for the bad reply style, I'm on the road with no proper mail
client.

···

-----Original Message-----
From: gerpder@openmailbox.org [mailto:gerpder@openmailbox.org]
Sent: Mittwoch, 11. Juni 2014 22:35
To: Jitsi Developers
Cc: Ingo Bauersachs
Subject: Re: [jitsi-dev] SSL errors when connecting from Windows Jitsi but
no other client

On 2014-06-11 13:06, Ingo Bauersachs wrote:

Your server then needs to deliver the
actual certificate and any intermediates (i.e. the entire chain,
except the
root) and it must be issued to one of (as CN or as SubjectAltName):
- example.org
- *.example.org
- _xmpp-client.example.org

Yes, it is for CN of *.example.org and a SAN of example.org. The cert
also servers up https as well as xmpp, the https does not display any
errors.

The SRV-record and the actual hostname are irrelevant for the
certificate
checking process.

Yes, I mention it as the error hints at it.

This can AFAIK
happen when the system is a fresh installation and you haven't surfed
to any
SSL secured websites with either Internet Explorer, Chrome or another
application that correctly uses the CAPI.

IE would never have been used on these systems, only Mozilla Firefox

Can you try surfing to any website that has a Comodo CA issued
certificate
with IE and try again?

So doing that on the systems (two so far) and going to www.example.org
and comodo.com results in the same error.

I did connect to www.example.org on a windows 7/IE (with no jre
installed?! did not know that was possible) than never had jitsi, then
installed jitsi and it worked fine. Of course this may not be a
conclusive test as I can't go back and try with out the visit to the
websites with comodo certs


#4

Thanks for the helps Ingo, I've not had chance to test further but have question about this.

How is the security of the private JRE handled? Is it effect by bugs in Oracle JRE, if so how do you deal with updates?

I ask as there have been two Oracle JRE upgrades (7u55 and 7u60) to fix serious issues this year but I look and see the Windows Jitsi has not had a new release since January

···

On 2014-06-13 09:12, Ingo Bauersachs wrote:

Jitsi comes with its own private JRE, so you don't need to have one
installed on the system. I


#5

Coming back to this. I've notice now that if I use Jitsi on its own (no oracle JRE), it will log in fine the first time I set up account but the next time I log in it gives the cert warning.

Which is the same warning I get when I use Jitsi and Oracle JRE

···

On 2014-06-13 09:12, Ingo Bauersachs wrote:

Jitsi comes with its own private JRE, so you don't need to have one
installed on the system. If the certificate works on a system where you've
been to comodo.com (or similar) then, it is very likely that the Comodo
certificate has been downloaded there and added to the trusted cert store,
while it has not (or has been purposely removed) on the system where it
doesn't work.