[jitsi-users] X.509 certificates: Subject Alternative Names ignored


#1

Hi,

I just added an account to Jitsi. The JID’s host name is listed as part of the certificate’s (several) Subject Alternative Names, but not as part of the common name. However, Jitsi complains that the certificate is invalid („Jitsi can't verify the identity of the server when connecting to [example.com, _xmpp-client.example.com]“).

Could it be that Jitsi only checks in the CN and not in SAN? If so, could this be fixed?
Also, why is the verified name _xmpp-client.example.com, not _xmpp-client._tcp.example.com, the name of the SRV record?

-Marcel

BTW: It would be nice if Jitsi were to support DANE, as this handles the server and service host names, among other things.


#2

Jitsi does check the SAN. Can you take a look at the logs (https://jitsi.org/logs) to see why validation fails exactly?

The protocol part of the srv is left out because of an rfc that says so. Don't know which one out of my head.

Dane will be coming sometime this year (hopefully I'll find the time).

Freundliche Grüsse,
Ingo Bauersachs

-- sent from my mobile

···

On 23.04.2015, at 18:45, Marcel Waldvogel <Marcel.Waldvogel@uni-konstanz.de> wrote:

Hi,

I just added an account to Jitsi. The JID’s host name is listed as part of the certificate’s (several) Subject Alternative Names, but not as part of the common name. However, Jitsi complains that the certificate is invalid („Jitsi can't verify the identity of the server when connecting to [example.com, _xmpp-client.example.com]“).

Could it be that Jitsi only checks in the CN and not in SAN? If so, could this be fixed?
Also, why is the verified name _xmpp-client.example.com, not _xmpp-client._tcp.example.com, the name of the SRV record?

-Marcel

BTW: It would be nice if Jitsi were to support DANE, as this handles the server and service host names, among other things.
_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users