Skip to Content.
Sympa Menu

wg-pic - psi interface and certificate validation notes

Subject: Presence and IntComm WG

List archive

psi interface and certificate validation notes


Chronological Thread 
  • From: Neal McBurnett <>
  • To: wg-pic <>
  • Subject: psi interface and certificate validation notes
  • Date: Thu, 19 Oct 2006 12:18:03 -0600 (MDT)

> [ACTION] (10/12) Candace and Neal will send out their notes from the
> October 5 Psi testing session ahead of the October 19 session.

Here are some notes, "just in time...". They are very rough, but
should provide some good links, information and grist to work on.

I think we could help ourselves and others by helping update the psi
wiki at http://psi-im.org/wiki/

Cheers,

Neal McBurnett http://mcburnett.org/neal/
Signed and/or sealed mail encouraged. GPG/PGP Keyid: 2C9EBA60

----

"XML Console" log is very handy (right click on your own id, and enable it)
"send message to group" (right click on group name) seems handy
and seems that you can edit the To: line to change addressees

lots of features - can be confusing, but powerful

By default, doesn't pop up windows when folks try to add you or talk
to you - need to notice changes at bottom of "psi" window, and find
pulsing terminal icon next to users in question

things to test:
file transfer
end-to-end encryption
using xml console to generate custom control messages (what would be useful?)
logging (options/chat/delete chat window contents?)

options:
what is options/application/docklet?

chat: raise chat window when received; tabbed mode; compact mode

events: new headlines? [msn alerts]

groupchat: word highlighting
colored nick highlighting - not working?

PSI does more SSL certificate verification than most xmpp clients, it
seems, and presents warning dialog boxes.

Notes on the certificate warning messages:

The jabber.org certificate failed the authenticity test.
Reason: invalid CA certificate
How to configure new root CAs, e.g. cacert.org
for cacert as root: get by hand or use
http://affinix.com/~justin/cacert.xml
for self-signed cert: use add_psi_cert.sh script (which won't chase
for the appropriate self-signed root cert, which psi demands....)
worked for self-signed cert at jabberwocky.net.isc.upenn.edu
[what is plan for "native cert database" in linux?]
prefer just putting new cert file in the directory

gmail - must Modify Account/Connection/Ignore SSL Warnings and
Allow Plaintext Login
see http://forum.psi-im.org/thread/3512
deal with gmail also - hostname does not match the one the
certificate was issued to. account: gmail.com in jabberid, but
server is talk.google.com. cert is for: talk google.com. it
would work if psi could do the STARTTLS mechanism over port 5222
and see: http://forum.psi-im.org/thread/2632
though I'm not convinced. User does enter server name in config....

see pages 1 and 2 of
http://forum.psi-im.org/thread/2597,2;nocount;?unb893sess=f2137b54830e575db4482e88044687cf#postlisttop

http://psi-im.org/wiki/SSL_Certificates_(QCA1)
fix page to refer to cacert.xml file; note limitations of shell script;
figure out why doesn't work to put root cert in rootcert.xml file;
clarify it is a _subfolder_ of ~/.psi called certs

[Get psi to include it and/or allow non-self-signed cert in certs dir....]
or Account Setup->Modify->Connection->Ignore SSL warnings.

manual addition:
http://www.christophseibert.de/weblog/en/it/internet/instant-messaging/mac-psi-cacert.html

http://article.gmane.org/gmane.network.jabber.admin/17613
CA tests: To verify that you are allowed to use the domain you request the
certificate for, it is enough to have access to the postmaster mail
account of this domain. This access can be gotten by just
registering a jabber account "postmaster" at amessage.
http://mailman.jabber.org/pipermail/jadmin/2004-October/018669.html

/usr/X11R6/share/psi/certs/rootcert.xml

2004 cacert complaints [many of which may be misinterpretations or
have changed since then??]:
I don't see any place where they list the "reserved" accounts they
accept for requests.
when you try to add "example.com" to your account in CAcert, you'll
be presented the following list of addresses with which you can
prove ownership of the domain:
root, hostmaster, postmaster, admin, webmaster. (all @example.com)

halr9000 (Administrator) 08-15-2006, 21:49
In a future version (possibly 0.11), this will be handled
differently. We will use the OS's native certificate store so no
more hacking strange files.
infiniti and polish certum ca
Even so, if they aren't in IE then I'm not going to add them.
For now you'll have to manually add them to your Psi rootcerts if needed.

http://forum.psi-im.org/thread/2597

I saw this on the homepage of CAcert :
https://www.cacert.org/index.php?id=3
Anyone can help? Thanks
edit : forget about that, I think I found what I need in this thread
http://psi.affinix.com/forums/index.php?ac...0&hl=certificat
edit2 : and the script there will be fullfil my dreams I think
http://psi.affinix.com/forums/index.php?ac...7&hl=certificat

http://www.cacert.org/help.php?id=2#notes

2006-09-13T14:16:49-0600 works with jabber.org, but error with google:
"tls handshake error"


  • psi interface and certificate validation notes, Neal McBurnett, 10/19/2006

Archive powered by MHonArc 2.6.16.

Top of Page