[jitsi-dev] trust a self-signed certificate


#1

Hi,

I use SSL for HTTPS Jitsi provisioning and to connect to a local jabber server.
When Jitsi is launched it asks the user to trust or not the self-signed certificates. There's also a check box to "permanently" trust these certificates. However, whenever the user logs out and re-logs into his/her Windows session and Jitsi is launched, the same certificate warning windows appear.
How can I avoid this? How can I truly "trust" these certificates forever?

Note that if the user does not logoff Windows and even if Jitsi is restarted, the certificate warning windows don¡t appear if "permanently trust" was selected. The popups only appear if the user logs out or reboots.

Does Jitsi use some kind of trust store? Where is it saved on disk? Why do you think it's being ignored if user reopens Windows session?

Thanks,

Vieri


#2

I use SSL for HTTPS Jitsi provisioning and to connect to a local jabber
server. When Jitsi is launched it asks the user to trust or not the
self-signed certificates. There's also a check box to "permanently"
trust these certificates. However, whenever the user logs out and
re-logs into his/her Windows session and Jitsi is launched, the same
certificate warning windows appear. How can I avoid this? How can I
truly "trust" these certificates forever?

Note that if the user does not logoff Windows and even if Jitsi is

restarted,

the certificate warning windows don¡t appear if "permanently trust" was
selected. The popups only appear if the user logs out or reboots.

Do you delete your sip-communicator.properties after logout?

Does Jitsi use some kind of trust store? Where is it saved on disk? Why do
you think it's being ignored if user reopens Windows session?

The certificate-pinning is done with a property and the sha1-hash of the
certificate:
net.java.sip.communicator.impl.certservice.param._xmpp-client.example.com=22
e50eeeaf2daf8e440377196c4d95734dee94d9
net.java.sip.communicator.impl.certservice.param.example.com=22e50eeeaf2daf8
e440377196c4d95734dee94d9

I don't know your environment, but if you use a Windows-Domain it would be
worthwile to deploy the certificate of your server using a group policy (so
that Windows trusts it) and then let Jitsi use the Windows truststore.

Thanks,
Vieri

Ingo


#3

Thanks for pointing that out.

I provision each client via HTTPS but I don't zero-out net.java.sip.communicator.impl.certservice.*. I understand that this way the certificate trust should persist between Jitsi sessions. And it does... just as long as I don't re-login into Windows.

Here's how I'm provisioning:

echo "net.java.sip.communicator.impl.gui.main.MainFrame=\${null}\n";
echo "net.java.sip.communicator.impl.protocol=\${null}\n";
echo "net.java.sip.communicator.impl.ldap=\${null}\n";
echo "net.java.sip.communicator.impl.neomedia=\${null}\n";
echo "net.java.sip.communicator.packetlogging=\${null}\n";
echo "net.java.sip.communicator.plugin.provisioning=\${null}\n";
echo "net.java.sip.communicator.plugin.updatechecker=\${null}\n";
echo "net.java.sip.communicator.util.dns=\${null}\n";
echo "net.java.sip.communicator.impl.notifications=\${null}\n";
echo "net.java.sip.communicator.plugin.openmeetings=\${null}\n";
echo "net.java.sip.communicator.service.gui.SINGLE_WINDOW_INTERFACE_ENABLED=\${null}\n";

echo "provisioning.ALLOW_PREFIX=net.java|org.ice4j|java.net|plugin.addrbook\n";

// ... set properties here

echo "provisioning.ENFORCE_PREFIX=net.java|org.ice4j|java.net|plugin.addrbook\n";

When Jitsi first starts all the properties are as expected, so are the net.java.sip.communicator.impl.certservice.* properties. If I exit Jitsi and start it again then sip-communicator.properties is updated but the net.java.sip.communicator.impl.certservice.* properties are preserved. However, if I reboot the PC then the net.java.sip.communicator.impl.certservice.* properties are not there anymore.

As far as I know there's nothing on my domain that's resetting this file (no scripts or policies).
It's odd.

Thanks anyway. I'll do some more checks.
I'd rather not use domain group policies for this.

Vieri

···

--- On Tue, 4/16/13, Ingo Bauersachs <ingo@jitsi.org> wrote:

The certificate-pinning is done with a property and the
sha1-hash of the
certificate:
net.java.sip.communicator.impl.certservice.param._xmpp-client.example.com=22
e50eeeaf2daf8e440377196c4d95734dee94d9
net.java.sip.communicator.impl.certservice.param.example.com=22e50eeeaf2daf8
e440377196c4d95734dee94d9


#4

Hi,

Just wanted to let you know that the net.java.sip.communicator.impl.certservice.* properties are now being preserved as expected even after Windows users re-logins. I don't know yet what was causing this before but it wasn't Jitsi's fault.

Sorry for the noise.

Vieri