ge0rg
commented
13 years ago I am sorry for the inconvenience. These are both issues in MTM, and are unfortunately not trivial to fix.
Closed gstarnberger closed 10 years ago
ge0rg
commented
13 years ago I am sorry for the inconvenience. These are both issues in MTM, and are unfortunately not trivial to fix.
gstarnberger
commented
13 years ago I've found some information regarding CN mismatches on https://github.com/ge0rg/MemorizingTrustManager/issues/2
What type of problem occurs in the case where the whole certificate chain cannot be checked? How is this case different from the case where there's no chain at all and only a single certificate? If I'll find some time I can try to look into that.
ge0rg
commented
13 years ago I am not quite sure, actually. I think I had no example site where the problem happened. You could check out the MTM project and compile its example app to debug the issue. The library is pretty verbose in the logcat.
IIRC, the code is checking and adding every cert from the supplied chain to the local keystore, so I am a little confused about why it still does re-ask for permission.
shtrom
commented
12 years ago I just noticed the same problem for another CACert-authenticated server. Even though asking to always remember the certificate, the question keeps being asked about a missing trust anchor. I can provide server name and logs if needed.
ge0rg
commented
12 years ago Please check if the server name matches the common name, and that the cert is still valid. If both is true, you can send me the server name / logcat in a private message.
shtrom
commented
12 years ago On Thu, Nov 03, 2011 at 05:45:23AM -0700, Georg Lukas wrote:
Please check if the server name matches the common name, and that the cert is still valid. If both is true, you can send me the server name / logcat in a private message.
Done. Email sent to your GitHub-registered address.
Olivier Mehani shtrom@ssji.net PGP fingerprint: 4435 CF6A 7C8D DD9B E2DE F5F9 F012 A6E2 98C6 6655
spaetz
commented
10 years ago I experience the same issue. I always have to "Always" remember the self-signed certificate at each yaxim start. The certificate is signed: CN=sspaeth.de OU=XMPP Service,O=tigase.org, my jabber id is Sebastian@sspaeth.de, which connects via DNS SRV records to "tigase.me" as jabber server.
Let me know if there is anything I can do or send to help debug/solve this issue.
ge0rg
commented
10 years ago There are several things unclear to me from your report:
Could you please clarify?
Also, I would really recommend switching/upgrading to a recent, still-maintained XMPP server software like prosody.
spaetz
commented
10 years ago Thanks for checking, ge0rg! Due to the difficulties in setting up the thing, I removed the SRV records for sspaeth.de by now, but they were in place at the time of testing. The SSL certificate was delivered during STARTTLS negotiation, I guess(?, I am not too familar with the xmpp protocol), and tigase.me served the self-signed certificate in that case. At least, yaxim presented me the above data each time, I reconnected, even if I selected "trust always". Given that I stopped using the server, I am not able to test it any further though, sorry.
When "yaxim" stumbles across an unknown certificate I can choose to always "remember" the certificate. However, next time I establish the connection "yaxim" has forgotten about the certificate and asks again.
This issue occurs at least in the cases where yaxim cannot check the whole certificate chain (e.g., because CAcert's class3 is included, but yaxim doesn't know the next cert in the chain) and in cases where the CN does not match.
I'm using the latest version available in Google's Android market.