Leopard iChat (4.0.2) with Openfire 3.4.5 certificate problems

Jeffrey_Eaton · March 5, 2008, 3:22am

I’m trying to use the iChat (4.0.2 604) that comes with Leopard (OSX 10.5.2) to authenticate to my Openfire 3.4.5 server.

I have the server configured properly with a certificate signed by my CA, and have the certificate properly chaining. When I visit the admin web interface, I get no certificate errors in Safari ( I have the root CA in my system keychain). I can successfully authenticate with GSSAPI or a password from Adium, and get no certificate errors.

When I try to connect with iChat I get prompted for my password. However, I then receive an error that iChat can’t verify the identity of the server because the certificate was signed by an unknown certifying authority. If I click the show certificate button, it shows the certificate properly chained to the intermediate cert, then to the root cert, and the root cert is marked as trusted for all users.

If I click continue, I get prompted for my password again, then get the certificate error dialog again. Even if I check the box to trust the certificate, I continue getting cert errors.

Has anyone successfully gotten SSL/TLS to work between Leopard’s iChat and Openfire?

Gaston_Dombiak · March 5, 2008, 3:31am

Hey Jeffrey,

I do not have Leopard here nor iChat to test your case. However, it seems to me that iChat does not know the (root) CA of your certificate. If your (root) CA is not a standard/known one then I would recommend checking for ways to add new CA certificates to the list of trusted CAs by iChat. BTW, I think that browsers come with their list of known CA certificates. So iChat and your browser may not be sharing the same list of trusted CAs.

Regards,

– Gato

Jeffrey_Eaton · March 5, 2008, 5:40pm

I believe that iChat uses the system keychain for certificate validation, the same as Safari does. My root CA is trusted in there.

I have discovered that if I disable the option to use Kerberos5 authentication (and enter my password instead), I can eventually get iChat to ignore the certificate problems, and authenticate. It would be nice to be able to use K5 in iChat like it works in Adium, however.