[jitsi-users] jit.si XMPP server presents untrusted certificate


#1

I mentioned this issue in a reply to another message thread, but I think
it merits a new thread of its own.

When I launch Jitsi and it attempts to log into my jit.si XMPP account,
the application warns that the certificate is invalid. See the attached
screenshot.

The certificate in question was issued on 21 August 2014 and has the
following fingerprints:

SHA1: 8114126eb2ed082f33cc2179326bf8ab8c7b7435
MD5: a18643db2d8116d647600faf9015ab3f

Is anyone else experiencing this? Is this certificate legitimate? If so,
why does Jitsi report it as untrusted? Is the certificate pinned in the
application and hasn't been updated to reflect the issuance of a new
certificate on 21 August? Or am I being targeted with a MITM attack?

···

--
George W. Maschke
http://www.georgemaschke.net
Twitter: georgemaschke
PGP Public Key: 316A947C
Encrypted voice & text chat (XMPP via Jitsi): georgemaschke@jit.si
Surespot: georgemaschke


#2

Is there a way to see the certificate once a connection is established with Jitsi? I am running the linux version.

Robert

···

On Sun, 14 Sep 2014 08:37:17 +0000 George Maschke <georgemaschke@posteo.de> wrote:

I mentioned this issue in a reply to another message thread, but I think
it merits a new thread of its own.

When I launch Jitsi and it attempts to log into my jit.si XMPP account,
the application warns that the certificate is invalid. See the attached
screenshot.

The certificate in question was issued on 21 August 2014 and has the
following fingerprints:

SHA1: 8114126eb2ed082f33cc2179326bf8ab8c7b7435
MD5: a18643db2d8116d647600faf9015ab3f

Is anyone else experiencing this? Is this certificate legitimate? If so,
why does Jitsi report it as untrusted? Is the certificate pinned in the
application and hasn't been updated to reflect the issuance of a new
certificate on 21 August? Or am I being targeted with a MITM attack?

--
George W. Maschke
http://www.georgemaschke.net
Twitter: georgemaschke
PGP Public Key: 316A947C
Encrypted voice & text chat (XMPP via Jitsi): georgemaschke@jit.si
Surespot: georgemaschke


#3

tools --> connection info --> select your account --> view certificate

MS
(using latest nightly build on Debian testing)

···

On 9/14/14 3:41 PM, Robert Webb wrote:

Is there a way to see the certificate once a connection is established
with Jitsi? I am running the linux version.

Robert

On Sun, 14 Sep 2014 08:37:17 +0000 > George Maschke <georgemaschke@posteo.de> wrote:

I mentioned this issue in a reply to another message thread, but I think
it merits a new thread of its own.

When I launch Jitsi and it attempts to log into my jit.si XMPP account,
the application warns that the certificate is invalid. See the attached
screenshot.

The certificate in question was issued on 21 August 2014 and has the
following fingerprints:

SHA1: 8114126eb2ed082f33cc2179326bf8ab8c7b7435
MD5: a18643db2d8116d647600faf9015ab3f

Is anyone else experiencing this? Is this certificate legitimate? If so,
why does Jitsi report it as untrusted? Is the certificate pinned in the
application and hasn't been updated to reflect the issuance of a new
certificate on 21 August? Or am I being targeted with a MITM attack?

--
George W. Maschke
http://www.georgemaschke.net
Twitter: georgemaschke
PGP Public Key: 316A947C
Encrypted voice & text chat (XMPP via Jitsi): georgemaschke@jit.si
Surespot: georgemaschke

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#4

That option does not exist on Fedora Linux 20 with Jitsi version 2.5.5065.

Robert

···

On Sun, 14 Sep 2014 19:46:13 +0300 "Mr.Smith" <mr.smith476@gmail.com> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

tools --> connection info --> select your account --> view certificate

MS
(using latest nightly build on Debian testing)

On 9/14/14 3:41 PM, Robert Webb wrote:

Is there a way to see the certificate once a connection is established
with Jitsi? I am running the linux version.

Robert

On Sun, 14 Sep 2014 08:37:17 +0000 >> George Maschke <georgemaschke@posteo.de> wrote:

I mentioned this issue in a reply to another message thread, but I think
it merits a new thread of its own.

When I launch Jitsi and it attempts to log into my jit.si XMPP account,
the application warns that the certificate is invalid. See the attached
screenshot.

The certificate in question was issued on 21 August 2014 and has the
following fingerprints:

SHA1: 8114126eb2ed082f33cc2179326bf8ab8c7b7435
MD5: a18643db2d8116d647600faf9015ab3f

Is anyone else experiencing this? Is this certificate legitimate? If so,
why does Jitsi report it as untrusted? Is the certificate pinned in the
application and hasn't been updated to reflect the issuance of a new
certificate on 21 August? Or am I being targeted with a MITM attack?

--
George W. Maschke
http://www.georgemaschke.net
Twitter: georgemaschke
PGP Public Key: 316A947C
Encrypted voice & text chat (XMPP via Jitsi): georgemaschke@jit.si
Surespot: georgemaschke

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 10.3.1 (Build 13266)
Charset: windows-1252

wsBVAwUBVBXGWHIFU87htrbeAQgQKQf9EuJHvUMu4SwTU97yS44swI/w/ZmZGzVo
dn7M/FgVGVPxdzUJNlCoYlz/MaAqIrddhP96zpaDpGvPVTNa48+22KX2EuV5tyRC
At/pnY59bY/ZcGgP+wRyrJH+MLjIHgdKQCS4jcCUl9d63x3EFfWtKG7Kdf3F0KFw
yFXTy8ipgtlIqePIKc0LblXhKZMjEL6R3y7vET2lzSXiAjQF1tuG4klfO+N55Aum
JzQkGaz9FKuluYtZLoTeEgVlF8XImYXajadkuz7OWWM9LYkPlMsmVzrEtJCaQ6FV
mF8bcM6Vc/kNwCnQ1JXF0LEMJF/m3rM7L7kdfYO9d6uNy8WArMdMtw==
=DziJ
-----END PGP SIGNATURE-----


#5

When I launch Jitsi and it attempts to log into my jit.si XMPP account,

the application warns that the certificate is invalid. See the attached

Hello,

This is fixed now, you should see no difference between the two domains
(web on jit.si and xmpp on xmpp.jit.si) The issue was related to a change
in the certificate for web on jit.si -- but anyway this was no problem for
the communication with the xmpp server, as the web service on jit.si is a
mere redirect to the registration page on jitsi.org.

The real certificate on the xmpp server (xmpp.jit.si) was never changed.

Now the jit.si one is fixed and the test on ssllabs shows it
https://www.ssllabs.com/ssltest/analyze.html?d=jit.si

···

--
Yasen Pramatarov
sysadmin, https://jitsi.org


#6

Yasen,

Thanks! Might it also be possible for you to change the preferred TLS
version and cipher suite order for xmpp.jit.si? When I connect using the
Jitsi client, the connection is established with TLS 1.0, rather than
1.2, and the cipher suite used is SSL_RSA_WITH_RC4_128_MD5. I think this
cipher suite should be deprecated.

Couldn't a cipher suite with forward secrecy, like
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 be used instead?

Best regards,

George Maschke
georgemaschke@jit.si

Yasen Pramatarov wrote:

···

When I launch Jitsi and it attempts to log into my jit.si XMPP account,

the application warns that the certificate is invalid. See the attached

Hello,

This is fixed now, you should see no difference between the two domains
(web on jit.si and xmpp on xmpp.jit.si) The issue was related to a change
in the certificate for web on jit.si -- but anyway this was no problem for
the communication with the xmpp server, as the web service on jit.si is a
mere redirect to the registration page on jitsi.org.

The real certificate on the xmpp server (xmpp.jit.si) was never changed.

Now the jit.si one is fixed and the test on ssllabs shows it
https://www.ssllabs.com/ssltest/analyze.html?d=jit.si

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#7

We are aware of the older ciphers issue there. It's not a straightforward
switch, as all these are depending not on operating system configurations,
but on Java JRE versions, upgrade of which is not a quick decision. But
we're aware and have all this in mind.

···

On Mon, Sep 15, 2014 at 4:33 PM, George W. Maschke <georgemaschke@posteo.de> wrote:

Yasen,

Thanks! Might it also be possible for you to change the preferred TLS
version and cipher suite order for xmpp.jit.si? When I connect using the
Jitsi client, the connection is established with TLS 1.0, rather than
1.2, and the cipher suite used is SSL_RSA_WITH_RC4_128_MD5. I think this
cipher suite should be deprecated.

Couldn't a cipher suite with forward secrecy, like
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 be used instead?

--
Yasen Pramatarov
sysadmin, https://jitsi.org


#8

Thank you for this clarification, Yasen! I note that when I connect to
the duk.go XMPP server, as is the case with the jit.si XMPP server, the
connection is made with the older TLS 1.0.

However, the cipher suite used is TLS_RSA_WITH_AES_256_CBC_SHA. (Screen
shot attached.) While this suite lacks forward secrecy, it is still more
robust than the SSL_RSA_WITH_RC4_128_MD5 currently used by jit.si.

Would there be any drawback to moving the jit.si server to
TLS_RSA_WITH_AES_256_CBC_SHA right away, while continuing to consider
such options as TLS 1.2 and forward secrecy for future implementation?

George Maschke
georgemaschke@jit.si

Yasen Pramatarov wrote:

···

On Mon, Sep 15, 2014 at 4:33 PM, George W. Maschke <georgemaschke@posteo.de> > wrote:

Yasen,

Thanks! Might it also be possible for you to change the preferred TLS
version and cipher suite order for xmpp.jit.si? When I connect using the
Jitsi client, the connection is established with TLS 1.0, rather than
1.2, and the cipher suite used is SSL_RSA_WITH_RC4_128_MD5. I think this
cipher suite should be deprecated.

Couldn't a cipher suite with forward secrecy, like
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 be used instead?

We are aware of the older ciphers issue there. It's not a straightforward
switch, as all these are depending not on operating system configurations,
but on Java JRE versions, upgrade of which is not a quick decision. But
we're aware and have all this in mind.

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#9

Like I said, this involves upgrade of Java and maybe migrating to
different JRE, like moving to Oracle's as there is still no packaged
version of OpenJDK 8 and we need it for these ciphers.

That's why it is not a "right away" switch.

It will be done, it's just not tested yet.

···

On Mon, Sep 15, 2014 at 5:11 PM, George W. Maschke <georgemaschke@posteo.de> wrote:

Thank you for this clarification, Yasen! I note that when I connect to
the duk.go XMPP server, as is the case with the jit.si XMPP server, the
connection is made with the older TLS 1.0.

However, the cipher suite used is TLS_RSA_WITH_AES_256_CBC_SHA. (Screen
shot attached.) While this suite lacks forward secrecy, it is still more
robust than the SSL_RSA_WITH_RC4_128_MD5 currently used by jit.si.

Would there be any drawback to moving the jit.si server to
TLS_RSA_WITH_AES_256_CBC_SHA right away, while continuing to consider
such options as TLS 1.2 and forward secrecy for future implementation?

--
Yasen Pramatarov
sysadmin, https://jitsi.org