[jitsi-users] JIGASI connecting using TLS and SRTP


#1

Checked.

If you remove that property then the SIP registration breaks using untrusted certificates [*] during the TLS handshake: net.java.sip.communicator.impl.protocol.sip.SipRegistrarConnection.register(SipRegistrarConnection.java:268)

In opposite case, when you are using a valid and trusted certificate, the SIP registration works as usual. Since the moment that the net.java.sip.communicator.service.gui.ALWAYS_TRUST_MODE_ENABLED is a property which can be set in the

I've post just a couple of minutes ago a Pull-Request (https://github.com/jitsi/jigasi/pull/35) in the code. The idea is move this setup to the configuration file in order to avoid re-compile the code. If you are interested we could extend all this work with some pending stuffs like:

  - trust in the certificated if the peer IP is XXX.XXX.XXX.XXX (range)
  - avoid check the expiration date
  - ...

in a ideal world, all those checks are not desired but in the real work most time a sysadmin must deal with self-signed certificates or similar.

[*] Backtrace:

2016-06-04 09:00:38.783 INFO: [32] impl.certificate.CertificateServiceImpl.checkCertTrusted().857 Untrusted certificate
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
  at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
  at sun.security.validator.Validator.validate(Validator.java:260)
  at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
  at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
  at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:107)
  at net.java.sip.communicator.impl.certificate.CertificateServiceImpl$3.checkCertTrusted(CertificateServiceImpl.java:755)
  at net.java.sip.communicator.impl.certificate.CertificateServiceImpl$3.checkServerTrusted(CertificateServiceImpl.java:720)
  at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:885)
  at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1454)
  at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:213)
  at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913)
  at sun.security.ssl.Handshaker.process_record(Handshaker.java:849)
  at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1035)
  at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1344)
  at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1371)
  at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1355)
  at gov.nist.javax.sip.stack.IOHandler.getLocalAddressForTlsDst(IOHandler.java:223)
  at gov.nist.javax.sip.stack.SIPTransactionStack.getLocalAddressForTlsDst(SIPTransactionStack.java:668)
  at net.java.sip.communicator.impl.protocol.sip.SipStackSharing.getLocalAddressForDestination(SipStackSharing.java:1177)
  at net.java.sip.communicator.impl.protocol.sip.ProtocolProviderServiceSipImpl.getLocalViaHeaders(ProtocolProviderServiceSipImpl.java:1254)
  at net.java.sip.communicator.impl.protocol.sip.SipMessageFactory.createRegisterRequest(SipMessageFactory.java:1094)
  at net.java.sip.communicator.impl.protocol.sip.SipRegistrarConnection.register(SipRegistrarConnection.java:268)
  at net.java.sip.communicator.impl.protocol.sip.ProtocolProviderServiceSipImpl.registerUsingNextAddress(ProtocolProviderServiceSipImpl.java:2650)
  at net.java.sip.communicator.impl.protocol.sip.ProtocolProviderServiceSipImpl.register(ProtocolProviderServiceSipImpl.java:371)
  at org.jitsi.jigasi.RegisterThread.run(RegisterThread.java:58)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
  at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
  at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
  ... 25 more
2016-06-04 09:00:38.784 SEVERE: [32] impl.protocol.sip.ProtocolProviderServiceSipImpl.getLocalViaHeaders().1296 Unable to create a via header for port 5060
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: The peer provided certificate with Subject <O=Internet Widgits Pty Ltd, ST=Coruna, C=ES> is not trusted
  at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
  at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1916)
  at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279)
  at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273)
  at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1472)
  at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:213)
  at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913)
  at sun.security.ssl.Handshaker.process_record(Handshaker.java:849)
  at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1035)
  at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1344)
  at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1371)
  at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1355)
  at gov.nist.javax.sip.stack.IOHandler.getLocalAddressForTlsDst(IOHandler.java:223)
  at gov.nist.javax.sip.stack.SIPTransactionStack.getLocalAddressForTlsDst(SIPTransactionStack.java:668)
  at net.java.sip.communicator.impl.protocol.sip.SipStackSharing.getLocalAddressForDestination(SipStackSharing.java:1177)
  at net.java.sip.communicator.impl.protocol.sip.ProtocolProviderServiceSipImpl.getLocalViaHeaders(ProtocolProviderServiceSipImpl.java:1254)
  at net.java.sip.communicator.impl.protocol.sip.SipMessageFactory.createRegisterRequest(SipMessageFactory.java:1094)
  at net.java.sip.communicator.impl.protocol.sip.SipRegistrarConnection.register(SipRegistrarConnection.java:268)
  at net.java.sip.communicator.impl.protocol.sip.ProtocolProviderServiceSipImpl.registerUsingNextAddress(ProtocolProviderServiceSipImpl.java:2650)
  at net.java.sip.communicator.impl.protocol.sip.ProtocolProviderServiceSipImpl.register(ProtocolProviderServiceSipImpl.java:371)
  at org.jitsi.jigasi.RegisterThread.run(RegisterThread.java:58)
Caused by: java.security.cert.CertificateException: The peer provided certificate with Subject <O=Internet Widgits Pty Ltd, ST=Coruna, C=ES> is not trusted
  at net.java.sip.communicator.impl.certificate.CertificateServiceImpl$3.checkCertTrusted(CertificateServiceImpl.java:860)
  at net.java.sip.communicator.impl.certificate.CertificateServiceImpl$3.checkServerTrusted(CertificateServiceImpl.java:720)
  at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:885)
  at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1454)
  ... 16 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
  at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
  at sun.security.validator.Validator.validate(Validator.java:260)
  at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
  at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
  at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:107)
  at net.java.sip.communicator.impl.certificate.CertificateServiceImpl$3.checkCertTrusted(CertificateServiceImpl.java:755)
  ... 19 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
  at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
  at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
  ... 25 more
2016-06-04 09:00:38.785 INFO: [32] org.jitsi.jigasi.SipGateway.registrationStateChanged().170 REG STATE CHANGE ProtocolProviderServiceSipImpl(jitsi@mycompanydomain.com (SIP)) -> RegistrationStateChangeEvent[ oldState=Registering; newState=RegistrationState=Unregistered; reasonCode=0; reason=Unable to create a via header for port 5060]
2016-06-04 09:00:38.786 INFO: [32] impl.protocol.sip.SipLogger.logInfo().196 Info from the JAIN-SIP stack: the sip stack timer gov.nist.javax.sip.stack.timers.DefaultSipTimer has been stopped
2016-06-04 09:00:39.787 INFO: [32] impl.protocol.sip.SipLogger.logInfo().196 Info from the JAIN-SIP stack: the sip stack timer gov.nist.javax.sip.stack.timers.DefaultSipTimer has been stopped

···

On 2016-06-02 13:48, Ingo Bauersachs wrote:

Great, this way works for me! Thanks a lot!

By the way, the SSL certificate validation is quite important for us in
order to avoid MiM attacks, so if you can suggest me hat part of the
code is involved in this check I could pleased to contribute all the
required code and functionality.

https://github.com/jitsi/jigasi/blob/master/src/main/java/org/jitsi/jigasi/Main.java#L221

I'm not sure what happens if you simply remove this property. In Jitsi
Desktop, if the certificate is invalid, a popup would ask the user to
confirm the connection. However, this confirmation obviously not be
shown in a daemon. So IMO it should simply fail to connect and log it.
It might already do that, but you'd need to test.

Ingo

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#2

If you remove that property then the SIP registration breaks using
untrusted certificates [*] during the TLS handshake:
net.java.sip.communicator.impl.protocol.sip.SipRegistrarConnection.regist
er(S ipRegistrarConnection.java:268)

Good to know and thanks for testing.

In opposite case, when you are using a valid and trusted certificate,
the SIP registration works as usual. Since the moment that the
net.java.sip.communicator.service.gui.ALWAYS_TRUST_MODE_ENABLED is a
property which can be set in the

I've post just a couple of minutes ago a Pull-Request
(https://github.com/jitsi/jigasi/pull/35) in the code. The idea is move
this setup to the configuration file in order to avoid re-compile the
code.

Thanks. We'll continue the discussion of that directly on GitHub.

If you are interested we could extend all this work with some
pending stuffs like:

  - trust in the certificated if the peer IP is XXX.XXX.XXX.XXX (range)
  - avoid check the expiration date
  - ...
in a ideal world, all those checks are not desired but in the real work
most time a sysadmin must deal with self-signed certificates or similar.

The CertitifcateService used from Jitsi Desktop already supports pinning of
an invalid certificate to a domain name (i.e. marking it as trusted
regardless of its properties). I would assume that this works in jigasi too.
It is also possible to change the default Java truststore with the
javax.net.ssl.* system properties.

Shouldn't that suffice to override invalid cert?

Ingo