Not logged in. · Lost password · Register
Forum: Community Help and General Chat RSS
hostname

Announcement

11-16-2005, 12:33 by halr9000
Subject: Psi Groupchat (new address)
Join us at the Psi Groupchat (MUC)! Room name: psi@conference.psi-im.org
Page:  1  2  next 
alexjonlin 01-18-2006, 21:07 #1
Member since 01/2006 · 1 post
Group memberships: Members
Show profile · Link to this post
Subject: hostname
I am using google talk and keep getting an error that says: hostname does not match one that certificate was issued to. how do i solve this?
IceRAM (Moderator) 01-18-2006, 23:36 #2
Member since 05/2003 · 1286 posts · Location: Bucharest, Romania
Group memberships: Global Moderators, Members
Show profile · Link to this post
Google Talk HowTo: FAQ - Why do I get the "failed authenticity test" error?
::/ my .net presence / weblog | psi
Avatar
michalj (Moderator) 01-19-2006, 00:03 #3
Member since 04/2004 · 2167 posts · Location: Legionowo, Poland
Group memberships: Global Moderators, Members
Show profile · Link to this post
You may disable SSL warnings in account options (You shouldn't do that, though).
Michał Jazłowiecki (michalj)
Psi Forum & Wiki Moderator :: Psi-Daisy Author
Avatar
spike (Administrator) 01-19-2006, 02:39 #4
Member since 02/2003 · 1870 posts · Location: Leuven (Belgium)
Group memberships: Administrators, Developers, Members
Show profile · Link to this post
Quote by michalj:
You may disable SSL warnings in account options (You shouldn't do that, though).
Well, as a user, you don't have control over the security of your server. In this case, this is the only easy way to overcome the warning i guess.
- Remko
linmax 01-19-2006, 07:02 #5
Member since 11/2005 · 6 posts · Location: Europe
Group memberships: Members
Show profile · Link to this post
Quote by IceRAM:
Google Talk HowTo: FAQ - Why do I get the "failed authenticity test" error?

This isn't true anymore. The certificate on talk.google.com:5223 is signed by Equifax. If I add their certificate to Psi's certs folder I'm getting an error saying: The hostname does not match the one the certificate was issued to.

The common name of the googletalk certificate is talk.google.com so I think Psi tries to validate it against the domain name of the JID (which is of course different).

According to http://forum.psi-im.org/thread/2632 this is the right behavior of Psi.
The problem is that it's a design limitation of the legacy encryption method, because at the beginning of the connection when certificates are exchanged the server doesn't know what certificate to send. If you use TLS (which Psi doesn't support yet) this should work (in case google has set it up correctly).

Maxi
This post was edited on 01-19-2006, 07:03 by linmax.
Avatar
infiniti (Administrator) 01-19-2006, 12:38 #6
Member since 09/2002 · 1374 posts · Location: California, USA
Group memberships: Administrators, Developers, Members
Show profile · Link to this post
Quote by linmax:
According to http://forum.psi-im.org/thread/2632 this is the right behavior of Psi.
The problem is that it's a design limitation of the legacy encryption method, because at the beginning of the connection when certificates are exchanged the server doesn't know what certificate to send. If you use TLS (which Psi doesn't support yet) this should work (in case google has set it up correctly).

I just wanted to say that I've confirmed that the correct certificate is sent out by Google if you use TLS (or more specifically, the STARTTLS mechanism over port 5222, which, yes, Psi does not support yet).

It seems to me that they should always send out the gmail.com certificate, though.  Or are there secret JIDs that actually use @talk.google.com ?
-Justin
linmax 01-20-2006, 07:20 #7
Member since 11/2005 · 6 posts · Location: Europe
Group memberships: Members
Show profile · Link to this post
There are also @googlemail.com domains, so this does not work.

Maxi
jimbostyx 03-23-2008, 04:18 #8
Member for 2 months · 1 post
Group memberships: Members
Show profile · Link to this post
Sorry to bump this after so long.

When using a Gmail account, everything works fine.  If I use my Google Apps account however, I get the same error as the OP.  Now I doubt there will ever be a way for me to import my domain's certificate into Google's server, so it needs to validate against talk.google.com.

Currently my SRV records look something like this:
_xmpp-server._tcp.domain.com.     SRV      5     86400     0 5269 xmpp-server.l.google.com.

I am manually specifying talk.google.com in Psi.  Does it use SRV records to look up the authentication server?  If so, would changing the SRV record to talk.google.com resolve the issue?  If not, could Psi use the manually specified server hostname instead of the domain portion of the JID?
Avatar
Chris Archer 03-23-2008, 06:38 #9
Member since 08/2007 · 8 posts
Group memberships: Members
Show profile · Link to this post
Help for Google Apps provides SRV records only for server2sserver. To enable client2server with server autodetection add following records to your domain:

_xmpp-client._tcp.gt.domain.com. 3600 IN SRV 20 0 5222 xmpp-server2.l.google.com.
_xmpp-client._tcp.gt.domain.com. 3600 IN SRV 20 0 5222 xmpp-server3.l.google.com.
_xmpp-client._tcp.gt.domain.com. 3600 IN SRV 20 0 5222 xmpp-server4.l.google.com.
_xmpp-client._tcp.gt.domain.com. 3600 IN SRV 5 0 5222 xmpp-server.l.google.com.
_xmpp-client._tcp.gt.domain.com. 3600 IN SRV 20 0 5222 xmpp-server1.l.google.com.
Albert 03-23-2008, 11:24 #10
Member since 04/2005 · 29 posts
Group memberships: Members
Show profile · Link to this post
Quote by jimbostyx:
Does it use SRV records to look up the authentication server?
Yes, use 0.11 or newer. For google based accounts which are properly configured on the server side, all you need to connect is to enter your JID and password and the default profile will allow you to connect. You might want to make sure the settings under the connection tab are decent if you convert from an earlier version.
Avatar
infiniti (Administrator) 03-24-2008, 17:35 #11
Member since 09/2002 · 1374 posts · Location: California, USA
Group memberships: Administrators, Developers, Members
Show profile · Link to this post
Quote by jimbostyx on 03-23-2008, 04:18:
When using a Gmail account, everything works fine.  If I use my Google Apps account however, I get the same error as the OP.  Now I doubt there will ever be a way for me to import my domain's certificate into Google's server, so it needs to validate against talk.google.com.

We are considering adding an option in the future for trusting an alternate domain.  So you would explicitly type 'talk.google.com' into your account settings and Psi will trust it for your domain.

This has the drawback that you lose some of the automation (SRV becomes mostly useless), all of your users will need to be configured in a special way, and if you ever transfer your domain away from Google Apps then you'll want to reconfigure all the clients.  The correct solution would be for Google to allow you to upload a certificate for it to use.  I suggest you file a feature request with them. :)
-Justin
Noccy 03-30-2008, 08:26 #12
Member for 2 months · 4 posts
Group memberships: Members
Show profile · Link to this post
As for these warnings, why not add an "Ignore"-button that will store the fingerprint of the cert, and then only redisplay the dialog if it has changed? The "Ignore SSL warnings" option should do the same thing; alert if the fingerprint is different, because then you can assume that you're getting another certificate than expected :)

Regards,
Chris
Avatar
machekku 03-30-2008, 08:32 #13
User title: Crazy guy from Poland
Member since 07/2004 · 780 posts · Location: Poland
Group memberships: Developers, Members
Show profile · Link to this post
Something like this is planned.
Maciek "Machekku" Niedzielski
Psi developer
[Image: http://machekku.uaznia.net/jabber/jobble/map/jmpixel1.png]
Noccy 03-30-2008, 10:39 #14
Member for 2 months · 4 posts
Group memberships: Members
Show profile · Link to this post
Quote by machekku:
Something like this is planned.

Excellent! :)
Xavier1 05-01-2008, 13:10 #15
Member for a week · 1 post
Group memberships: Members
Show profile · Link to this post
I added the SRV entries yesterday, exactly as you have specified (replacing "domain.com" with my domain), and am still not able to login with my Company's Google Apps account. Is there more to it than adding the SRV records to DNS?

_xmpp-client._tcp.gt.domain.com. 3600 IN SRV 20 0 5222 xmpp-server2.l.google.com.
_xmpp-client._tcp.gt.domain.com. 3600 IN SRV 20 0 5222 xmpp-server3.l.google.com.
_xmpp-client._tcp.gt.domain.com. 3600 IN SRV 20 0 5222 xmpp-server4.l.google.com.
_xmpp-client._tcp.gt.domain.com. 3600 IN SRV 5 0 5222 xmpp-server.l.google.com.
_xmpp-client._tcp.gt.domain.com. 3600 IN SRV 20 0 5222 xmpp-server1.l.google.com.

In the Psi Client I am using the exact same connection properties as the native Google Account that connects without issue.

Thanks for the help.
This post was edited on 05-01-2008, 13:12 by Xavier1.
Close Smaller – Larger + Reply to this post:
Smilies: :mellow: :huh: ^_^ :o ;) :P :D :lol: B) :rolleyes: -_- <_< :) :wub: :angry: :( :unsure: :wacko: :blink: :ph34r:
Special characters:
Page:  1  2  next 

Go to forum
Unclassified NewsBoard devel of 20051113 © 2003-5 by Yves Goergen
Current time: 05-10-2008, 17:02:06 (UTC -04:00)