main icon indicating copy to clipboard operation
main copied to clipboard

Published 20 hours ago verified publisher icon psi-plus

Certificate error connecting to gmail.com: no SNI provided

Open Grundik opened this issue 6 years ago • 11 comments

I'm using Psi+ v1.3.425 (2018-10-14, Psi:02fbdec1, Psi+:9351ce3), Qt version 5.11.2 on debian linux (latest available distro version of psi+).

When PSI+ connects to gmail.com it complains «The gmail.com certificate failed the authenticity test. Certificate is self-signed». Detailed info shows following certificate info:

Subject Details:
Organizational unit:  No SNI provided; please fix your client.
Common name:  invalid2.invalid

Issuer Details:
Organizational unit:  No SNI provided; please fix your client.
Common name:  invalid2.invalid

Fingerprint(MD5): 90:4A:C8:D5:44:5A:D0:6A:8A:10:FF:CD:8B:11:BE:16
Fingerprint(SHA-1): 42:59:51:7C:D4:E4:8A:28:9D:33:2A:B3:F0:AB:52:A3:66:32:28:24

Seems like PSI+ does not provides SNI while connecting to tls (starttls?) hosts.

Probably its a common issue with google tls services, e.g. https://bugzilla.redhat.com/show_bug.cgi?id=1611815

Grundik avatar Oct 22 '18 12:10 Grundik

from what I understand in the code If we change

d->tlsHandler->setXMPPCertCheck(true);

to

d->tlsHandler->setXMPPCertCheck(false);

in psiaccount.cpp, it will start working. But I don't understand what was the goal implementing setXMPPCertCheck. Maybe to relax connection to some old tls servers.

Ri0n avatar Dec 16 '18 09:12 Ri0n

As far as I see in iris library class QCATLSHandler uses QCA::TLS. As far as I see in QCA library in qca_securelayer.h (from Debian Sid):

	enum Version
	{
		TLS_v1, ///< Transport Layer Security, version 1
		SSL_v3, ///< Secure Socket Layer, version 3
		SSL_v2, ///< Secure Socket Layer, version 2
		DTLS_v1 ///< Datagram Transport Layer Security, version 1
	};

And here I am completely confused: where are here analogues of QSsl::TlsV1_1, QSsl::TlsV1_2, QSsl::TlsV1_3, etc. from current versions of Qt? Does this version of QCA support of modern versions of TLS at all?

tehnick avatar Dec 16 '18 19:12 tehnick

I think we have to start migration to Qt native secure sockets after the release. This will also solve a problem when both openssl and libressl libraries are required in some cases.

Ri0n avatar Dec 16 '18 19:12 Ri0n

Hi, the issue is still unsolved. Will Psi+ get SNI support?

Massimo-B avatar Aug 22 '19 07:08 Massimo-B

I will review if we can avoid using QCA for TLS in some next releases. I'm not sure what other problems it can bring.

Ri0n avatar Aug 22 '19 07:08 Ri0n

Any news? Should we close this issue?

Vitozz avatar May 29 '20 20:05 Vitozz

Psi+ v1.4.1231 (2020-05-13, Psi:b20d2fb4, Psi+:2170e90), Qt 5.12.5, problem still persists.

Grundik avatar Jun 01 '20 10:06 Grundik

@Grundik: What is the situation in 2024?

Google Mail has stopped XMPP support?

Neustradamus avatar Apr 25 '24 23:04 Neustradamus

Unfortunately I dont know how it is in 2024: XMPP is mostly dead now. I'm not using it at all for years.

Grundik avatar May 06 '24 13:05 Grundik

@Grundik: Thanks for your answer!

XMPP is always here in 2024, very used in the World...

Neustradamus avatar May 06 '24 14:05 Neustradamus

I dont want to argue: XMPP was the good thing of its time, I used it for more than a decade, but as of today Im not an active user of it (via PSI+ or otherwise), so Im unaware of its current support status by Google or other former providers.

Grundik avatar May 06 '24 14:05 Grundik