[jitsi-users] LDAPS server certificate


#1

Hello,

is there a way to add the certificate of a LDAPS server to
jitsi's list of trusted certificates.

When one uses a LDAPS server that is not trusted (for instance
signed by a CA that is not in the Java cacerts keystore), the
LDAPS connection fails silently and the user is not asked wether
he wants to continue anyway (and trust permanently) like in the
provisioning HTTPS, XMPP, SIP-TLS cases.

I've tried to add the

net.java.sip.communicator.impl.certservice.param.ldap.example.com=3633785d23e724a7a355ed58b31f04269f21101c

property.

Where 3633785d23e724a7a355ed58b31f04269f21101c is the
fingerprint of the certificate like for the other
(XMPP/SIP/Provisioning) certificates but it didn't help. I could
verify with wireshark that the connection was aborted because
of:

TLSv1 75 Alert (Level: Fatal, Description: Certificate Unknown)

Is there any way around that?

Thanks,
Stephane


#2

Hey Stephane

is there a way to add the certificate of a LDAPS server to
jitsi's list of trusted certificates.
[...]
Is there any way around that?

The LDAP server connection doesn't use our CertificateService and relies on Java's built-in verification. So unfortunately that's currently not possible.

Funny thing is: we talked about this requirement this morning, so it's on my/our todo-list. I can't give you an ETA though.

Regards,
Ingo

PS: If someone else wants to work on that, way to go is to set the property java.naming.ldap.factory.socket of the JNDI context to a custom socket factory that delegates its work to our CertificateService.


#3

Stephane,

I just committed a few patches on the LDAP stuff. It now uses our CertificateService and you should be able to provide the cert hash in the properties file in the way you already tried. It should be included in one of the next builds (3683 or 3684).

Ingo

ยทยทยท

-----Original Message-----
From: Stephane Chazelas [mailto:stephane.chazelas@gmail.com]
Sent: Donnerstag, 29. September 2011 14:06
To: users@jitsi.java.net
Subject: [jitsi-users] LDAPS server certificate
Hello,

is there a way to add the certificate of a LDAPS server to
jitsi's list of trusted certificates.

When one uses a LDAPS server that is not trusted (for instance
signed by a CA that is not in the Java cacerts keystore), the
LDAPS connection fails silently and the user is not asked wether
he wants to continue anyway (and trust permanently) like in the
provisioning HTTPS, XMPP, SIP-TLS cases.

I've tried to add the

net.java.sip.communicator.impl.certservice.param.ldap.example.com=3633785
d 23e724a7a355ed58b31f04269f21101c

property.

Where 3633785d23e724a7a355ed58b31f04269f21101c is the fingerprint of the
certificate like for the other (XMPP/SIP/Provisioning) certificates but
it didn't help. I could verify with wireshark that the connection was
aborted because of:

TLSv1 75 Alert (Level: Fatal, Description: Certificate Unknown)

Is there any way around that?

Thanks,
Stephane