[jitsi-users] No SNI support


#1

Seems like Jitsi doesn't support Server Name Indication. I guess this is
because Jitsi uses Java 6 and not Java 7? In any case, this is needed if
the x509 certificate uses a HTTPS URI for a CRL which resides on a host
requiring SNI.

~A


#2

Seems like Jitsi doesn't support Server Name Indication. I guess this is
because Jitsi uses Java 6 and not Java 7? In any case, this is needed if
the x509 certificate uses a HTTPS URI for a CRL which resides on a host
requiring SNI.

The version of Java used by Jitsi depends on the operating system. We ship
Java 7 on Windows, on Linux it's the package manager's decision (usually
OpenJDK 7), and Java 6 on Mac OS X.
An upgrade on OS X is currently not possible as it breaks video rendering.

However, a CRL cannot lie on an HTTPS URI anyway. You would first need to
establish trust to the server providing the CRL, which requires the CRL
itself. Chicken and egg problem.

~A

Ingo


#3

Indeed, you are right. It was a misconfiguration on the webserver which
sent the crl over https. The certificate that jitsi got in this case was
not the one from the correct url, but another certificate from the server.

//Anders

ยทยทยท

On 2014-02-08 14:38, Ingo Bauersachs wrote:

Seems like Jitsi doesn't support Server Name Indication. I guess this is
because Jitsi uses Java 6 and not Java 7? In any case, this is needed if
the x509 certificate uses a HTTPS URI for a CRL which resides on a host
requiring SNI.

The version of Java used by Jitsi depends on the operating system. We ship
Java 7 on Windows, on Linux it's the package manager's decision (usually
OpenJDK 7), and Java 6 on Mac OS X.
An upgrade on OS X is currently not possible as it breaks video rendering.

However, a CRL cannot lie on an HTTPS URI anyway. You would first need to
establish trust to the server providing the CRL, which requires the CRL
itself. Chicken and egg problem.