[jitsi-users] Jitsi can't verify the identity of the server when connecting to [sip2sip.info].


#1

Today, I started getting this error with Jitsi 2.9.5483-1:

  "Jitsi can't verify the identity of the server when
  connecting to [sip2sip.info]."

  Jitsi can't verify the identity of the server when
  connecting to [sip2sip.info]. The certificate is not
  trusted, which means that the server's identity cannot
  be automatically verified...

Viewing the certificate, it shows it issued To:

  Organizational Unit: GT67810724
  Organizational Unit: See www.rapidssl.com/resources/cps (c)13
  Organizational Unit: Domain Control Validated - RapidSSL(R)
  Common Name: *.sipthor.net

The fingerprints for the certificate are:

  SHA1: f7964c333b369ba71e708902610e26980cae7e25
  MD5: 28b89cd87ae03733307016547301cf00

How or where can I double check them?

Regards,
Lars


#2

Today, I started getting this error with Jitsi 2.9.5483-1:

  "Jitsi can't verify the identity of the server when
  connecting to [sip2sip.info]."

  Jitsi can't verify the identity of the server when
  connecting to [sip2sip.info]. The certificate is not
  trusted, which means that the server's identity cannot
  be automatically verified...

Viewing the certificate, it shows it issued To:

  Organizational Unit: GT67810724
  Organizational Unit: See www.rapidssl.com/resources/cps (c)13
  Organizational Unit: Domain Control Validated - RapidSSL(R)
  Common Name: *.sipthor.net

The fingerprints for the certificate are:

  SHA1: f7964c333b369ba71e708902610e26980cae7e25
  MD5: 28b89cd87ae03733307016547301cf00

How or where can I double check them?

The problem comes from a mismatch of the certificate name: sip2sip.info != *.sipthor.net. The certificate must either contain (*.)sip2sip.info or the proxy must be manually configured to proxy.sipthor.net:443, TLS.

See rfc5922 and rfc6125 if you want details. Note that we deliberately ignore rfc5922#7.2 and accept wildcard certificates. Although DNSSEC could be used to verify that proxy.sipthor.net is indeed a valid name, Jitsi's DNSSEC implementation doesn't go this deep. Yet.

Regards,
Lars

Ingo


#3

Ok Thanks for the fast answer.

Regards,
Lars

···

On 11/09/2015 05:39 PM, Ingo Bauersachs wrote:

The fingerprints for the certificate are:

SHA1: f7964c333b369ba71e708902610e26980cae7e25 MD5:
28b89cd87ae03733307016547301cf00

How or where can I double check them?

The problem comes from a mismatch of the certificate name:
sip2sip.info != *.sipthor.net. The certificate must either contain
(*.)sip2sip.info or the proxy must be manually configured to
proxy.sipthor.net:443, TLS.

See rfc5922 and rfc6125 if you want details. Note that we
deliberately ignore rfc5922#7.2 and accept wildcard certificates.
Although DNSSEC could be used to verify that proxy.sipthor.net is
indeed a valid name, Jitsi's DNSSEC implementation doesn't go this
deep. Yet.

Regards, Lars

Ingo