[jitsi-dev] XMPP SSL Certificate Glitch


#1

I am running Windows 8 x64 + Jitsi 2.4.4997 x6 + Openfire 3.8.2

How to Reproduce:
Setup Openfire to Require Secure Connection.
Setup Openfire to use RSA certificate signed by Company's Internal Enterprise CA
Use SRV records so that can use company's domain name for Jitsi usernames in format xxx.xxx@domain.com<mailto:xxx.xxx@domain.com>
Open Jitsi and connect to Openfire server

Actual Outcome: Jitsi will alert that certificate is "untrusted" even though showing details of certificate shows correct certificate issued by our company's CA with 2016 expiration date.

Expected Outcome: Jitsi should not be saying this certificate is untrusted since the cert's Root CA is trusted and the certificate is valid.

Workaround #1:

1. Click "Cancel" instead of "Ignore Certificate" when get "untrusted" certificate dialog

2. Exit Jitsi

3. Open Jitsi and Jitsi will auto connect to server successfully and never mentioned "untrusted" cert again

Workaround #2:

1. Before setting up initial account, go to Options --> Advanced --> TLS Configuration

2. Radio button by default is "Windows"

3. Select "Java"

4. Select "Windows"

5. Close Settings

6. Now connect to XMPP server and will not see "untrusted" warning

Workaround #3:

1. Add *net.java.sip.communicator.service.cert.truststore.type=Windows-ROOT to jitsi-defaults.properties

2. Delete sip-communicator.properties

3. Open Jitsi and connect to XMPP server and will not see "untrusted" warning

Workaround #4 (similar to #1 & #2)

1. Attempt to connect to Openfire server for first time

2. Click "Cancel" instead of "Ignore Certificate" when get "untrusted" certificate dialog

3. Go to Options --> Advanced --> TLS Configuration

4. Radio button by default is "Windows"

5. Select "Java"

6. Select "Windows"

7. Close Settings

8. Without closing Jitsi, now select Offline --> Online for your XMPP account and it should connect without giving any cert warning

Aaron


#2

I am running Windows 8 x64 + Jitsi 2.4.4997 x6 + Openfire 3.8.2

How to Reproduce:

Setup Openfire to Require Secure Connection.

Setup Openfire to use RSA certificate signed by Company's Internal
Enterprise CA

Use SRV records so that can use company's domain name for Jitsi usernames

in

format xxx.xxx@domain.com <mailto:xxx.xxx@domain.com>

Open Jitsi and connect to Openfire server

Actual Outcome: Jitsi will alert that certificate is "untrusted" even

though

showing details of certificate shows correct certificate issued by our
company's CA with 2016 expiration date.

Expected Outcome: Jitsi should not be saying this certificate is untrusted
since the cert's Root CA is trusted and the certificate is valid.

The property to use the Windows truststore was set on the first launch, but
not actually used, like you observed. This is now fixed and should be
available in the next nightly build.
Thanks for noticing this!

Since you're modifying the jitsi-defaults.properties, you can use it as a
workaround by setting
net.java.sip.communicator.service.cert.truststore.type=Windows-ROOT

Workaround #1:
[...]
Aaron

Ingo