ChatSecureAndroid icon indicating copy to clipboard operation
ChatSecureAndroid copied to clipboard

Published 20 hours ago verified publisher icon guardianproject

Certificate error for (hopefully) valid certificate

Open rasky opened this issue 9 years ago • 9 comments

We are getting a certificate error in ChatSecure for Android for our XMPP company server (xmpp.develer.com). We are using a AlphaSSL SHA2 (GlobalSign CA) certificate, which is accepted by all browsers and libraries. It's the same certificate we use for our front-facing website (www.develer.com), if you want to quickly look at it. The CA is included in the Android CA root store.

We double-checked the configuration of ejabberd and everything looks correct; other chat programs (e.g.: Empathy for Linux, Messages for Mac OS X) don't report any warning with our XMPP server.

Is this a bug in ChatSecure? The XMPP server is globally accessible, so it will serve the certificate over STARTTLS even if you don't have an account there.

rasky avatar Nov 05 '14 15:11 rasky

Is it an error, or are you prompted to manually confirm it?

n8fr8 avatar Nov 05 '14 15:11 n8fr8

Confirmation prompt with [Always] [Once] [Abort] buttons

(I'm the ChatSecure user, rasky is the ssl man)

naufraghi avatar Nov 05 '14 15:11 naufraghi

Can you post a screenshot or type the exact message you are getting? (there are a few different errors that can trigger that).

Otherwise, it is likely that somehow we aren't trusting your CA by default. Have you properly configured any intermediate chain CA files that GlobalSign needs with your XMPP server?

https://support.globalsign.com/customer/portal/articles/1223298-alphassl-intermediate-certificates

n8fr8 avatar Nov 05 '14 15:11 n8fr8

Yes, the intermediate is shown by the ChatSecure GUI. We also tested the same intermediate with many online SSL checkers and everything is fine (obviously, the online testers talk to Apache and not ejabberd, but it at least proves that we are using the correct intermediate).

rasky avatar Nov 05 '14 16:11 rasky

screenshot 2014-11-05 17 07 42

rasky avatar Nov 05 '14 16:11 rasky

Can you double check your ejabberd config? http://theadamsresidence.net/2012/04/01/ejabberd-and-ssl-certs/

n8fr8 avatar Nov 05 '14 16:11 n8fr8

Yes, I confirm it's correct like explained in that blog, we use a single file where everything is concatenated.

Can you run a debug build trying to login as [email protected] with a random password, and tell us exactly what internal TLS error triggers for our website? The warning screen you show in the user interface doesn't tell much.

rasky avatar Nov 05 '14 16:11 rasky

Sure, we can do that. Not sure of the timetable, but will put it on our list.

n8fr8 avatar Nov 05 '14 18:11 n8fr8

OK @n8fr8 let us know if you have time to find out something.

rasky avatar Nov 12 '14 01:11 rasky