Not logged in. · Lost password · Register
Forum: Community Bugs RSS
Ssl Certificate Validation
Hostname validation error?

Announcement

2005-11-16, 19:33 by halr9000
Subject: Psi Groupchat (new address)
Join us at the Psi Groupchat (MUC)! Room name: psi@conference.psi-im.org
Avatar
dvega 2005-03-30, 20:57 #1
Member since Jun 2003 · 10 posts · Location: Argentina
Group memberships: Members
Show profile · Link to this post
I work for "SomeCompany" (sorry I prefer not to public the company name) and this company is evaluating an internal Jabber client and server. I've tried to connect to this server using Psi, but I get the following warning:

SomeCompany: Server Authentication
The somecompany.com certificate failed the authenticity test.
Reason: The hostname does not match the one the certificate was issued to.

I've looked at the certificate and everything seems ok. Here are some details:

My Jabber ID: dvega@somecompany.com
Jabber Server: rtc.somecompany.com
Certificate Subject: C=US, ST=SomeState, L=SomeCity, O=SomeCompany, OU=SomeDeparment, CN=rtc.somecompany.com

I wonder if Psi is validating the certificate Subject against my Jabber ID domain. I think the correct way is to compare the certificate Subject with the Jabber Server Name (or IP addresses, I'm not sure).

If I connect to the same server with Mozilla using HTTPS, I dont get any warning or error message.
Avatar
infiniti (Administrator) 2005-03-31, 06:31 #2
Member since Sep 2002 · 1521 posts · Location: California, USA
Group memberships: Administrators, Developers, Members
Show profile · Link to this post
Psi is operating correctly.

When the client connects to "rtc.somecompany.com", it requests the "somecompany.com" host.  In fact, HTTP operates the same way via the "Host:" header.  It is this separation between "what you physically connect to" and "the host you want" that makes virtual hosting work.  "The host you want" is what is validated, and this goes for both XMPP and HTTP.
-Justin
jojolaser 2005-03-31, 06:38 #3
Member since Aug 2004 · 48 posts
Group memberships: Members
Show profile · Link to this post
From your Jabber ID your Jabber server is not rtc.somecompany.com but only somecompany.com.

BTW, in Account Properties there is a "Ignore SSL warnings", which turns this warning off (if you are not concerned that much about security).
Avatar
dvega 2005-03-31, 15:59 #4
Member since Jun 2003 · 10 posts · Location: Argentina
Group memberships: Members
Show profile · Link to this post
Quote by infiniti on 2005-03-31, 11:31:
In fact, HTTP operates the same way via the "Host:" header.  It is this separation between "what you physically connect to" and "the host you want" that makes virtual hosting work.
Infinity, as far as I know, virtual hosting does not work with HTTPS, because the SSL certificates are exchanged before de "Host:" header is sent. Same here for Psi and XMPP. Perhaps my report was not clear. What I'm talking is about SSL certificate validation. This is before any XMPP message is sent over the wire.

Quote by jojolaser on 2005-03-31, 11:38:
"BTW, in Account Properties there is a "Ignore SSL warnings", which turns this warning off (if you are not concerned that much about security)."
Thanks jojolaser. That's what I've already done, but I was wondering if the way Psi is working is right. It seems to me that the correct way should be to validate the SSL certificate subject against the jabber server name, and not the jabber account domain name (I may be wrong. I haven't read any JEP or RFC about the way this should work).
Avatar
halr9000 (Administrator) 2005-03-31, 21:44 #5
User title: I work here
Member since Nov 2002 · 2315 posts · Location: Atlanta
Group memberships: Administrators, Members
Show profile · Link to this post
Quote by dvega on 2005-03-31, 16:59:
Infinity, as far as I know, virtual hosting does not work with HTTPS
Actually it can be done.  Slightly off-topic, but you have to have a virtual host with a unique IP address.  So the server has multiple IP addresses mapped to the same interface.  So IP1 on foo.webhost.com can host an indefinite number of non-SSL virtual hosts, and IP2 goes to foo.w.c and can serve ONE SSL enabled virtual host, and so on.
Hal Rottenberg
Webmaster, Evangelist, Co-conspirator to the Revolution
Avatar
infiniti (Administrator) 2005-04-01, 01:34 #6
Member since Sep 2002 · 1521 posts · Location: California, USA
Group memberships: Administrators, Developers, Members
Show profile · Link to this post
Quote by dvega on 2005-03-31, 12:59:
Quote by infiniti on 2005-03-31, 11:31:
In fact, HTTP operates the same way via the "Host:" header.  It is this separation between "what you physically connect to" and "the host you want" that makes virtual hosting work.
Infinity, as far as I know, virtual hosting does not work with HTTPS, because the SSL certificates are exchanged before de "Host:" header is sent. Same here for Psi and XMPP. Perhaps my report was not clear. What I'm talking is about SSL certificate validation. This is before any XMPP message is sent over the wire.
Well slap me with a trout, you're right!  I forgot that there's a few ways these things can work.  Both HTTP and XMPP can be used with SSL on a separate port (443 for HTTP and 5223 for XMPP).  In these cases, SSL is established immediately.  However, both of these protocols also support in-band SSL negotiation.  This allows some plaintext exchanges to occur before the SSL handshake begins.  For HTTP this makes it possible to have virtual hosting with SSL, although to be honest I've never actually seen any HTTP software (servers or clients) supporting this (even though there's an RFC for it).  XMPP on the other hand is supposed to always work this way, and can definitely be used with virtual hosts.  In fact, the older 5223 method is considered legacy.  Sorry for throwing you off track there.

Quote by dvega on 2005-03-31, 12:59:
It seems to me that the correct way should be to validate the SSL certificate subject against the jabber server name, and not the jabber account domain name (I may be wrong. I haven't read any JEP or RFC about the way this should work).
Yeah, well I have read the RFC. :)

And here's the relevant part:  RFC 3920 (XMPP Core), Section 5.1 (Use of TLS), Rule #8:
Certificates MUST be checked against the hostname as provided by the initiating entity (e.g., a user), not the hostname as resolved via the Domain Name System; e.g., if the user specifies a hostname of "example.com" but a DNS SRV[SRV] lookup returned "im.example.com", the certificate MUST be checked as "example.com".
To bring this back to my initial point, this is not different than HTTPS.  It's a feature of some Jabber clients to allow you to override "what you physically connect to" mainly for lack of SRV support, and to allow SSH tunnelling via localhost.  If a web browser allowed you to set the physical host to rtc.somecompany.com, but keep the URL as https://somecompany.com/, you'd run into the same problem.
-Justin
Avatar
dvega 2005-04-01, 15:12 #7
Member since Jun 2003 · 10 posts · Location: Argentina
Group memberships: Members
Show profile · Link to this post
Infinity, as usual you're right!  That's why Psi is the Best Jabber Client. B)

I'll report this missconfiguration problem to the Jabber server admins and try to convince them to correct/update the certificate.

Thanks and sorry for the fuss
speedhost 2008-04-29, 21:04 #8
User title: SpeedHost
Member since Apr 2008 · 1 post
Group memberships: Members
Show profile · Link to this post
Yes, Psi is the Best Jabber Client!
Works fine with SSL Certificate.
This post was edited on 2008-04-30, 18:51 by Kev.
Close Smaller – Larger + Reply to this post:
Verification code: VeriCode Please note the verification code from the picture into the text field next to it.
Smileys: :mellow: :huh: ^_^ :o ;) :P :D :lol: B) :rolleyes: -_- <_< :) :wub: :angry: :( :unsure: :wacko: :blink: :ph34r:
Special characters:

Go to forum
This board is powered by the Unclassified NewsBoard software, 20090606-dev, © 2003-8 by Yves Goergen
Current time: 2009-07-04, 07:32:59 (UTC +02:00)