search

psi-plus / main

Main repository with patches and required resources
https://psi-plus.com/
GNU Lesser General Public License v2.1
69 stars 20 forks source link

Certificate error connecting to gmail.com: no SNI provided #739

Open Grundik opened 5 years ago

Grundik commented 5 years ago

I'm using Psi+ v1.3.425 (2018-10-14, Psi:02fbdec1, Psi+:9351ce3), Qt version 5.11.2 on debian linux (latest available distro version of psi+).

When PSI+ connects to gmail.com it complains «The gmail.com certificate failed the authenticity test. Certificate is self-signed». Detailed info shows following certificate info:

Subject Details:
Organizational unit:  No SNI provided; please fix your client.
Common name:  invalid2.invalid

Issuer Details:
Organizational unit:  No SNI provided; please fix your client.
Common name:  invalid2.invalid

Fingerprint(MD5): 90:4A:C8:D5:44:5A:D0:6A:8A:10:FF:CD:8B:11:BE:16
Fingerprint(SHA-1): 42:59:51:7C:D4:E4:8A:28:9D:33:2A:B3:F0:AB:52:A3:66:32:28:24

Seems like PSI+ does not provides SNI while connecting to tls (starttls?) hosts.

Probably its a common issue with google tls services, e.g. https://bugzilla.redhat.com/show_bug.cgi?id=1611815

Ri0n commented 5 years ago

from what I understand in the code If we change 

d->tlsHandler->setXMPPCertCheck(true);

to 

d->tlsHandler->setXMPPCertCheck(false);

in psiaccount.cpp, it will start working. But I don't understand what was the goal implementing setXMPPCertCheck. Maybe to relax connection to some old tls servers.

tehnick commented 5 years ago

As far as I see in iris library class QCATLSHandler uses QCA::TLS. As far as I see in QCA library in qca_securelayer.h (from Debian Sid):

    enum Version
    {
        TLS_v1, ///< Transport Layer Security, version 1
        SSL_v3, ///< Secure Socket Layer, version 3
        SSL_v2, ///< Secure Socket Layer, version 2
        DTLS_v1 ///< Datagram Transport Layer Security, version 1
    };

And here I am completely confused: where are here analogues of QSsl::TlsV1_1, QSsl::TlsV1_2, QSsl::TlsV1_3, etc. from current versions of Qt? Does this version of QCA support of modern versions of TLS at all?

Ri0n commented 5 years ago

I think we have to start migration to Qt native secure sockets after the release. This will also solve a problem when both openssl and libressl libraries are required in some cases.

Massimo-B commented 4 years ago

Hi, the issue is still unsolved. Will Psi+ get SNI support?

Ri0n commented 4 years ago

I will review if we can avoid using QCA for TLS in some next releases. I'm not sure what other problems it can bring.

Vitozz commented 4 years ago

Any news? Should we close this issue?

Grundik commented 4 years ago

Psi+ v1.4.1231 (2020-05-13, Psi:b20d2fb4, Psi+:2170e90), Qt 5.12.5, problem still persists.

Neustradamus commented 2 months ago

@Grundik: What is the situation in 2024?

Google Mail has stopped XMPP support?

Grundik commented 2 months ago

Unfortunately I dont know how it is in 2024: XMPP is mostly dead now. I'm not using it at all for years.

Neustradamus commented 2 months ago

@Grundik: Thanks for your answer!

XMPP is always here in 2024, very used in the World...

Grundik commented 2 months ago

I dont want to argue: XMPP was the good thing of its time, I used it for more than a decade, but as of today Im not an active user of it (via PSI+ or otherwise), so Im unaware of its current support status by Google or other former providers.