Store full certificate chains; build chains on connect, and send them to to the server. about mumble-iphoneos HOT 24 CLOSED

Thanks for the heads up. Is this a standard Murmur, or is there something exotic about your setup? I'm just curious why this happens on your server only (seemingly). :)

I'll force TLS 1.0 for now. Do you have a hostname:port I can test this on? (I don't need credentials, I just need to do a TLS handshake). A PM will do.

from mumble-iphoneos.

I had a look at this. The iOS app already forces itself to use TLSv1 using the keys described in the technical note above.

Anyway, I'm still interested in a hostname:port to debug this, or a description of a configuration to reproduce this.

from mumble-iphoneos.

vps.neverstops.com.br:64738 it's a standard murmur on a ubuntu 10.10 (running on OpenVZ, this is the only non standard thing)

from mumble-iphoneos.

I just tried this on my iPhone, and couldn't reproduce.

The -9806 error simply means errSSLClosedAbort, which could be any TLS abort.

Does it work without the certificate from your computer? (And is that a Mumble generated certificate, or a CA-signed one?)

from mumble-iphoneos.

I'm using a Comodo Free Email Certificate (http://www.comodo.com/home/email-security/free-email-certificate.php) for it, and not the Mumble generated one.

As you asked me, the mobile generated certificate (from MumbleApp), works fine.

from mumble-iphoneos.

Have you been able to reproduce the problem using a Comodo certificate? Please tell me if there is any way I can debug it locally, I do have a Macbook and can download/install iOS SDK

from mumble-iphoneos.

My apologies for the letting the ticket sit for 5 days, Brodock. I'll have a look later today.

Do you have any way of testing this on your own device? If not, PM or email me your device's UDID and I'll add you as a beta tester, so you can actually use the fix.

from mumble-iphoneos.

I've tracked this down. I can successfully connect to the server once I send the whole certificate chain. (Only the leaf certificate is being sent as-is with the 1.0 client.)

An inconvenient little oversight on my part. I had hoped (and thought) that storing a SecIdentityRef to the iOS app's keychain would also store the rest of the chain. That seems not to be the case.

from mumble-iphoneos.

BTW, are you positive that the chain is also accepted when you connect with your desktop client?

I'm seeing the same behavior there, as on the iOS client.

from mumble-iphoneos.

2012-03-21 10:48:15.632 1 => 91:(-1) Strong certificate for <...> (signed by UTN-USERFirst-Client Authentication and Email)

Well mumble-server log seems to accept my certificate as a "Strong" (I believe it means valid one).

Also using the information you gave me about the problem, it seens that the problem was in fact related with CA chain, as, trying to connect with MumbleApp and copying the log I get:

2012-03-21 10:55:05.172 1 => 94:(-1) New connection: ...:62318
2012-03-21 10:55:06.230 1 => 94:(-1) SSL Error: The root CA certificate is not trusted for this purpose
2012-03-21 10:55:06.232 1 => 94:(-1) SSL Error: No certificates could be verified
2012-03-21 10:55:06.233 1 => 94:(-1) Connection closed: [-1]

from mumble-iphoneos.

How have you imported the certificate into the desktop app? Are you on Linux, OS X or Windows?

from mumble-iphoneos.

Nevermind, the PKCS12 file that I export from Keychain contains something very disturbing...

from mumble-iphoneos.

Aha, it turns out that the chain was just longer than I expected. The chain I exported as .p12 to the iOS client worked fine on there, but was missing one of the intermediates (which is apparently bundled on iOS). Once I built a correct chain, desktop app works fine as well.

OK. The issue is as the title says, and I hope to implement it today.

from mumble-iphoneos.

OK, committed a fix for this. You'll have to re-import your .p12 file in order for the whole chain to be present, though.

Can you confirm whether or not this works for you? I've sent beta details to you via email.

from mumble-iphoneos.

I have a fresh install of murmur on ubuntu and am seeing the same issue. Comodo issued cert works on Mac client, fails on iOS client.

from mumble-iphoneos.

It's (sort of) fixed in the repo. I've just discovered some issues that I'll need to weed out.

from mumble-iphoneos.

Tried again with Self-Signed Cert and it worked properly.

from mumble-iphoneos.

I believe this is fixed in Git now, with 187cce4. I'll build a beta snapshot shortly.

from mumble-iphoneos.

Closing this as fixed, since no one has reported otherwise.

from mumble-iphoneos.

Hi guys,

I have the same issues using Mumble 1.0 on iOS 5.1 and a fresh installed murmurd 1.2.2-6+squeeze1 on Debian Squeeze (installed from distro repo).

When using Mumble 1.2.3 on Windows 7 with StartSSL.com Client-Certificate there is no problem.
When using Mumble 1.0 on iOS 5.1 with the same client-certificate it does not work.

Log with Windows Client Login:

<W>2012-04-06 18:03:05.203 Initializing settings from /etc/mumble-server.ini (basepath /etc)
<C>2012-04-06 18:03:05.204 Adding 1 CA certificates from certificate file.
<W>2012-04-06 18:03:05.215 SSL: Added CA certificates from '/etc/ssl/certs/ca-certificates.crt'
<C>2012-04-06 18:03:05.220 Successfully switched to uid 113
<W>2012-04-06 18:03:05.223 ServerDB: Openend SQLite database /var/lib/mumble-server/mumble-server.sqlite
<W>2012-04-06 18:03:05.225 Resource limits were 0 0
<W>2012-04-06 18:03:05.225 Successfully dropped capabilities
<W>2012-04-06 18:03:05.229 DBus registration succeeded
<W>2012-04-06 18:03:05.230 MurmurIce: Endpoint "tcp -h 127.0.0.1 -p 6502" running
<W>2012-04-06 18:03:05.231 OSInfo: Failed to execute lsb_release
<W>2012-04-06 18:03:05.231 Murmur 1.2.2 (1.2.2-6+squeeze1) running on X11: Linux 2.6.32-5-amd64: Booting servers
<W>2012-04-06 18:03:05.241 1 => Server listening on [::]:64738
<W>2012-04-06 18:03:05.250 1 => Announcing server via bonjour
<W>2012-04-06 18:03:39.116 1 => <1:(-1)> New connection: 80.145.38.251:54795
<W>2012-04-06 18:03:39.531 1 => <1:(-1)> Strong certificate for [email protected] <[email protected]> (signed by StartCom Certification Authority)
<W>2012-04-06 18:03:39.607 1 => <1:(-1)> Client version 1.2.3 (Win: 1.2.3)
<W>2012-04-06 18:03:39.618 1 => Starting voice thread
<W>2012-04-06 18:03:39.623 1 => CELT codec switch ffffffff80000010 0 (prefer ffffffff80000010)
<W>2012-04-06 18:03:39.634 1 => <1:M3d1c5(1)> Authenticated
<C>2012-04-06 18:04:02.310 Caught SIGTERM, exiting
<W>2012-04-06 18:04:02.310 Killing running servers
<W>2012-04-06 18:04:02.317 1 => Stopped announcing server via bonjour
<W>2012-04-06 18:04:02.320 1 => Stopped
<W>2012-04-06 18:04:02.320 Shutting down
<W>2012-04-06 18:04:02.320 MurmurIce: Shutdown complete

Log with iOS Client Login:

<W>2012-04-06 18:05:17.276 Initializing settings from /etc/mumble-server.ini (basepath /etc)
<C>2012-04-06 18:05:17.277 Adding 1 CA certificates from certificate file.
<W>2012-04-06 18:05:17.287 SSL: Added CA certificates from '/etc/ssl/certs/ca-certificates.crt'
<C>2012-04-06 18:05:17.308 Successfully switched to uid 113
<W>2012-04-06 18:05:17.311 ServerDB: Openend SQLite database /var/lib/mumble-server/mumble-server.sqlite
<W>2012-04-06 18:05:17.316 Resource limits were 0 0
<W>2012-04-06 18:05:17.317 Successfully dropped capabilities
<W>2012-04-06 18:05:17.319 DBus registration succeeded
<W>2012-04-06 18:05:17.320 MurmurIce: Endpoint "tcp -h 127.0.0.1 -p 6502" running
<W>2012-04-06 18:05:17.321 OSInfo: Failed to execute lsb_release
<W>2012-04-06 18:05:17.321 Murmur 1.2.2 (1.2.2-6+squeeze1) running on X11: Linux 2.6.32-5-amd64: Booting servers
<W>2012-04-06 18:05:17.336 1 => Server listening on [::]:64738
<W>2012-04-06 18:05:17.342 1 => Announcing server via bonjour
<W>2012-04-06 18:05:30.705 1 => <1:(-1)> New connection: 80.145.38.251:52982
<W>2012-04-06 18:05:32.497 1 => <1:(-1)> SSL Error: The root CA certificate is not trusted for this purpose
<W>2012-04-06 18:05:32.503 1 => <1:(-1)> SSL Error: No certificates could be verified
<W>2012-04-06 18:05:32.511 1 => <1:(-1)> Connection closed:  [-1]
<C>2012-04-06 18:05:42.828 Caught SIGTERM, exiting
<W>2012-04-06 18:05:42.828 Killing running servers
<W>2012-04-06 18:05:42.837 1 => Stopped announcing server via bonjour
<W>2012-04-06 18:05:42.842 1 => Stopped
<W>2012-04-06 18:05:42.842 Shutting down
<W>2012-04-06 18:05:42.842 MurmurIce: Shutdown complete

The problems occur on the server twattle.net:64738. But I have the same problems with the server mumble.piratenpartei-nrw.de:64738.

Christian

from mumble-iphoneos.

Hi M3d1c5,

This is fixed in the repo, and in the latest beta builds,

Hang on a little longer, and verison 1.1. will appear on the App Store.

Until then, I can only suggest you to use a temporary self-signed certificate.

Mikkel

from mumble-iphoneos.

Thank you for this information. :-)

Mikkel Krautz
mailto:[email protected]
Freitag, 6. April 2012 18:42
Hi M3d1c5,

This is fixed in the repo, and in the latest beta builds,

Hang on a little longer, and verison 1.1. will appear on the App Store.

Until then, I can only suggest you to use a temporary self-signed
certificate.

Mikkel

---

Reply to this email directly or view it on GitHub:
#47 (comment)

from mumble-iphoneos.

just to confirm, it's working fine now :)

from mumble-iphoneos.

Excellent. Thanks!

from mumble-iphoneos.