Domain 'jabber.org' hard coded in cert error screen?

[Michael]

I'm running Adium 1.2b7 (but it happened on b6 as well) and for one of my Jabber accounts it gives a cert error. The error is due to the specific Jabber server using a cert with CN=*.xs4all.nl instead of jabber.xs4all.nl. This is obviously a thing for them to fix on their side but there is one thing that surprises me. The error screen says: "The certificate of the server jabber.org is not trusted,...". Shouldn't that say 'jabber.xs4all.nl' instead of 'jabber.org'? Could jabber.org be hard coded into this error screen?

[evands]

I just made an accounton jabber.xs4all.nl and got the cert screen; it definitely shows the correct server.

Do you also have a jabber.org account? Is it possible that you were seeing the cert vertification sheet for it?

[Michael]

The only other Jabber/XMPP account I have is a GoogleTalk account, and that works fine. The specific account that shows this error tries to log in to jabber.xs4all.nl.

Since it is a misconfiguration on the xs4all.nl domain and I try to login to jabber.xs4all.nl it doesn't seem very likely to be related to jabber.org.

It is odd that it doesn't happen to you, though. I might need to delete the account and reconfigure it from scratch to see if that helps.

[Michael]

Oh, and by the way, I am on 10.4.11. I suppose you're on 10.5.1?

[evands]

'k, just wanted to make sure we didn't have a simple matter of confusion before delving into this further.

I am on 10.5.1.

Could you show the Adium Debug Window contents from starting the connection to the cert window being shown please?

[Michael]

Debug info for ticket 8698

[Michael]

OK, I've added a copy paste of what I thought was the relevant part of the debug log. I've replaced my username with **my-username**.

You are right that apparently it is a jabber.org account after all (long time since I created it so I must have forgotten) but there is still something odd. The issue arises because of an incorrectly configured server at xs4all.nl. I think the warning should mention that the issue lies with the server jabber.xs4all.nl or the domain xs4all.nl and not jabber.org as that is technically incorrect. It will probably confuse people trying to trouble shoot the issue.

As Xs4all is a rather large Dutch ISP I assume more people will run into this error when Adium 1.2 is released.

[evands]

So you're connecting an @jabber.org account to jabber.xs4all.nl? I guess it lets you whatever domain name you want?

[Michael]

Apparently it does. To be honest, I've set this up years ago so have forgotten the details but it has always worked this way.

It appears to me Adium's error message should report the connecting server that gives back a faulty cert and not the account domain. True, often they will be one and the same but apparently there are exceptions to this.

[Michael]

Could this be related to  http://trac.adiumx.com/ticket/8529? The server domain and JID domain being mixed up?

[kena]

Replying to Michael:

Apparently it does. To be honest, I've set this up years ago so have forgotten the details but it has always worked this way.

Michael, this deserves to be double-checked.

To my knowledge (and I am also customer of XS4all in the Netherlands), Jabber IDs at XS4all are of the form username@… and users are requested to connect using the server name "jabber.xs4all.nl" (they don't have DNS SRV records for _xmpp-client._tcp.xs4all.nl at this time.)

I don't believe XS4all's Jabber server accepts login requests from usernames of the form login@…. If it does, it's a violation of the Jabber RFCs. If it doesn't, you should check how your buddies in your roster actually see your Jabber ID from their side.

Two situations:

1) they confirm they see you @jabber.org. In this case, you are likely not connecting via jabber.xs4all.nl. That would need to be checked at the network level.

2) they see you @xs4all.nl. In this case, the discussion is moot.

[kena]

I'd like to cross this discussion with #8787.

[Robby]

Sorry for the lacking response.

Is this still an issue?

[Michael]

The problem is, it is hard to tell whether the issue still exists. It was an error in a cert error prompt. As the error causing the error screen to pop up in the first place has been fixed I can't reproduce the error screen to check. (You still there? :D )

Since there have been numerous patches with regards to SSL certs and jabber JIDs the code is likely to be fixed as a side effect.

I'd say close it as fixed or invalid, if it does pop up later I can always open it again.

[Robby]

I do understand now, thanks for clarification and the follow-up in general! :)

As you suggested I'll close this ticket for the time being.