Closed brodock closed 12 years ago
mkrautz
commented
12 years ago Thanks for the heads up. Is this a standard Murmur, or is there something exotic about your setup? I'm just curious why this happens on your server only (seemingly). :)
I'll force TLS 1.0 for now. Do you have a hostname:port I can test this on? (I don't need credentials, I just need to do a TLS handshake). A PM will do.
mkrautz
commented
12 years ago I had a look at this. The iOS app already forces itself to use TLSv1 using the keys described in the technical note above.
Anyway, I'm still interested in a hostname:port to debug this, or a description of a configuration to reproduce this.
brodock
commented
12 years ago vps.neverstops.com.br:64738 it's a standard murmur on a ubuntu 10.10 (running on OpenVZ, this is the only non standard thing)
mkrautz
commented
12 years ago I just tried this on my iPhone, and couldn't reproduce.
The -9806 error simply means errSSLClosedAbort, which could be any TLS abort.
Does it work without the certificate from your computer? (And is that a Mumble generated certificate, or a CA-signed one?)
brodock
commented
12 years ago I'm using a Comodo Free Email Certificate (http://www.comodo.com/home/email-security/free-email-certificate.php) for it, and not the Mumble generated one.
As you asked me, the mobile generated certificate (from MumbleApp), works fine.
brodock
commented
12 years ago Have you been able to reproduce the problem using a Comodo certificate? Please tell me if there is any way I can debug it locally, I do have a Macbook and can download/install iOS SDK
mkrautz
commented
12 years ago My apologies for the letting the ticket sit for 5 days, Brodock. I'll have a look later today.
Do you have any way of testing this on your own device? If not, PM or email me your device's UDID and I'll add you as a beta tester, so you can actually use the fix.
mkrautz
commented
12 years ago I've tracked this down. I can successfully connect to the server once I send the whole certificate chain. (Only the leaf certificate is being sent as-is with the 1.0 client.)
An inconvenient little oversight on my part. I had hoped (and thought) that storing a SecIdentityRef to the iOS app's keychain would also store the rest of the chain. That seems not to be the case.
mkrautz
commented
12 years ago BTW, are you positive that the chain is also accepted when you connect with your desktop client?
I'm seeing the same behavior there, as on the iOS client.
brodock
commented
12 years ago mkrautz
commented
12 years ago How have you imported the certificate into the desktop app? Are you on Linux, OS X or Windows?
mkrautz
commented
12 years ago Nevermind, the PKCS12 file that I export from Keychain contains something very disturbing...
mkrautz
commented
12 years ago Aha, it turns out that the chain was just longer than I expected. The chain I exported as .p12 to the iOS client worked fine on there, but was missing one of the intermediates (which is apparently bundled on iOS). Once I built a correct chain, desktop app works fine as well.
OK. The issue is as the title says, and I hope to implement it today.
mkrautz
commented
12 years ago OK, committed a fix for this. You'll have to re-import your .p12 file in order for the whole chain to be present, though.
Can you confirm whether or not this works for you? I've sent beta details to you via email.
kaijuu
commented
12 years ago I have a fresh install of murmur on ubuntu and am seeing the same issue. Comodo issued cert works on Mac client, fails on iOS client.
mkrautz
commented
12 years ago It's (sort of) fixed in the repo. I've just discovered some issues that I'll need to weed out.
kaijuu
commented
12 years ago Tried again with Self-Signed Cert and it worked properly.
mkrautz
commented
12 years ago I believe this is fixed in Git now, with 187cce44874e8. I'll build a beta snapshot shortly.
mkrautz
commented
12 years ago Closing this as fixed, since no one has reported otherwise.
M3d1c5
commented
12 years ago Hi guys,
I have the same issues using Mumble 1.0 on iOS 5.1 and a fresh installed murmurd 1.2.2-6+squeeze1 on Debian Squeeze (installed from distro repo).
When using Mumble 1.2.3 on Windows 7 with StartSSL.com Client-Certificate there is no problem. When using Mumble 1.0 on iOS 5.1 with the same client-certificate it does not work.
Log with Windows Client Login:
<W>2012-04-06 18:03:05.203 Initializing settings from /etc/mumble-server.ini (basepath /etc)
<C>2012-04-06 18:03:05.204 Adding 1 CA certificates from certificate file.
<W>2012-04-06 18:03:05.215 SSL: Added CA certificates from '/etc/ssl/certs/ca-certificates.crt'
<C>2012-04-06 18:03:05.220 Successfully switched to uid 113
<W>2012-04-06 18:03:05.223 ServerDB: Openend SQLite database /var/lib/mumble-server/mumble-server.sqlite
<W>2012-04-06 18:03:05.225 Resource limits were 0 0
<W>2012-04-06 18:03:05.225 Successfully dropped capabilities
<W>2012-04-06 18:03:05.229 DBus registration succeeded
<W>2012-04-06 18:03:05.230 MurmurIce: Endpoint "tcp -h 127.0.0.1 -p 6502" running
<W>2012-04-06 18:03:05.231 OSInfo: Failed to execute lsb_release
<W>2012-04-06 18:03:05.231 Murmur 1.2.2 (1.2.2-6+squeeze1) running on X11: Linux 2.6.32-5-amd64: Booting servers
<W>2012-04-06 18:03:05.241 1 => Server listening on [::]:64738
<W>2012-04-06 18:03:05.250 1 => Announcing server via bonjour
<W>2012-04-06 18:03:39.116 1 => <1:(-1)> New connection: 80.145.38.251:54795
<W>2012-04-06 18:03:39.531 1 => <1:(-1)> Strong certificate for mail@m3d1c5.org <mail@m3d1c5.org> (signed by StartCom Certification Authority)
<W>2012-04-06 18:03:39.607 1 => <1:(-1)> Client version 1.2.3 (Win: 1.2.3)
<W>2012-04-06 18:03:39.618 1 => Starting voice thread
<W>2012-04-06 18:03:39.623 1 => CELT codec switch ffffffff80000010 0 (prefer ffffffff80000010)
<W>2012-04-06 18:03:39.634 1 => <1:M3d1c5(1)> Authenticated
<C>2012-04-06 18:04:02.310 Caught SIGTERM, exiting
<W>2012-04-06 18:04:02.310 Killing running servers
<W>2012-04-06 18:04:02.317 1 => Stopped announcing server via bonjour
<W>2012-04-06 18:04:02.320 1 => Stopped
<W>2012-04-06 18:04:02.320 Shutting down
<W>2012-04-06 18:04:02.320 MurmurIce: Shutdown completeLog with iOS Client Login:
<W>2012-04-06 18:05:17.276 Initializing settings from /etc/mumble-server.ini (basepath /etc)
<C>2012-04-06 18:05:17.277 Adding 1 CA certificates from certificate file.
<W>2012-04-06 18:05:17.287 SSL: Added CA certificates from '/etc/ssl/certs/ca-certificates.crt'
<C>2012-04-06 18:05:17.308 Successfully switched to uid 113
<W>2012-04-06 18:05:17.311 ServerDB: Openend SQLite database /var/lib/mumble-server/mumble-server.sqlite
<W>2012-04-06 18:05:17.316 Resource limits were 0 0
<W>2012-04-06 18:05:17.317 Successfully dropped capabilities
<W>2012-04-06 18:05:17.319 DBus registration succeeded
<W>2012-04-06 18:05:17.320 MurmurIce: Endpoint "tcp -h 127.0.0.1 -p 6502" running
<W>2012-04-06 18:05:17.321 OSInfo: Failed to execute lsb_release
<W>2012-04-06 18:05:17.321 Murmur 1.2.2 (1.2.2-6+squeeze1) running on X11: Linux 2.6.32-5-amd64: Booting servers
<W>2012-04-06 18:05:17.336 1 => Server listening on [::]:64738
<W>2012-04-06 18:05:17.342 1 => Announcing server via bonjour
<W>2012-04-06 18:05:30.705 1 => <1:(-1)> New connection: 80.145.38.251:52982
<W>2012-04-06 18:05:32.497 1 => <1:(-1)> SSL Error: The root CA certificate is not trusted for this purpose
<W>2012-04-06 18:05:32.503 1 => <1:(-1)> SSL Error: No certificates could be verified
<W>2012-04-06 18:05:32.511 1 => <1:(-1)> Connection closed: [-1]
<C>2012-04-06 18:05:42.828 Caught SIGTERM, exiting
<W>2012-04-06 18:05:42.828 Killing running servers
<W>2012-04-06 18:05:42.837 1 => Stopped announcing server via bonjour
<W>2012-04-06 18:05:42.842 1 => Stopped
<W>2012-04-06 18:05:42.842 Shutting down
<W>2012-04-06 18:05:42.842 MurmurIce: Shutdown completeThe problems occur on the server twattle.net:64738. But I have the same problems with the server mumble.piratenpartei-nrw.de:64738.
Christian
mkrautz
commented
12 years ago Hi M3d1c5,
This is fixed in the repo, and in the latest beta builds,
Hang on a little longer, and verison 1.1. will appear on the App Store.
Until then, I can only suggest you to use a temporary self-signed certificate.
Mikkel
M3d1c5
commented
12 years ago Thank you for this information. :-)
Mikkel Krautz mailto:reply@reply.github.com Freitag, 6. April 2012 18:42 Hi M3d1c5,
This is fixed in the repo, and in the latest beta builds,
Hang on a little longer, and verison 1.1. will appear on the App Store.
Until then, I can only suggest you to use a temporary self-signed certificate.
Mikkel
Reply to this email directly or view it on GitHub: https://github.com/mumble-voip/mumble-iphoneos/issues/47#issuecomment-4998340
brodock
commented
12 years ago just to confirm, it's working fine now :)
mkrautz
commented
12 years ago Excellent. Thanks!
When I try to connect to my Mumble server with an iPhone 4 (latest iOS), I receive a "Enable to connect" popup error, with the following message inside: "The operation couldn't be completed. (OSStatus error -9806).
The same server works perfectly fine at the computer. I'm also using the same certificate as the one at my computer.
The problem is probably related to the following: https://groups.google.com/forum/#!msg/asihttprequest/jPsjVJ8Xm2A/rDWlJMUrfaYJ which leads to the following iOS documentation: https://developer.apple.com/library/ios/#technotes/tn2287/_index.html#//apple_ref/doc/uid/DTS40011309
If you need any further information, just ask here.
NOTE: I'm using a valid SSL certificate for the Murmur, from StartSSL.com (using the free certificates for domains)