[jitsi-users] Jitsi and server-selected cipher suite


#1

Hello,

I just observed a couple of users running Jitsi version 2.2.4603.9615 on
Windows 7 who were unable to connect when the server had enabled the
SSL_OP_CIPHER_SERVER_PREFERENCE OpenSSSL flag. This flag makes the
server decide which of the mutually supported cipher suites is used,
ignoring the clients order.

The server log said

···

Client disconnected: tlsv1 alert internal error

--
Kim "Zash" Alvefur
Prosody IM Developer


#2

Further debugging reveals that the alert is because Jitsi sends
unavailable presence a </stream:stream> in plain text right after the
TLS handshake. This only happens if a DHE cipher was chosen (by the
server, ignoring the clients order).

This problem seems to have gone away after a server upgrade. The old
one had OpenSSL 0.9.8k and the new has 1.0.1e, so I'd bet the older
OpenSSL and the Java SSL stack have some incompatibility with their DH
handling.

···

On 2013-08-29 15:54, Kim Alvefur wrote:

Hello,

I just observed a couple of users running Jitsi version 2.2.4603.9615 on
Windows 7 who were unable to connect when the server had enabled the
SSL_OP_CIPHER_SERVER_PREFERENCE OpenSSSL flag. This flag makes the
server decide which of the mutually supported cipher suites is used,
ignoring the clients order.

The server log said

Client disconnected: tlsv1 alert internal error

--
Kim "Zash" Alvefur