0

I want to run a jabberd2 server (V 2.40) with secure client connections.
I followed the instructions from the documentation and the server is up and running:
https://github.com/jabberd2/jabberd2/wiki/InstallGuide-OpenSSLConfiguration

But it seems that there is no secure client connection.
When i follow the hints for requesting the certificate there is no peer certificate:
Getting SSL certificate chain from jabber server 

openssl s_client -connect my.jabber.server.net:5222 </dev/null CONNECTED(00000003) --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 648 bytes and written 117 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE

The actual configuration is

 <local> <pemfile>/etc/jabberd2/jabber.pem</pemfile> <verify-mode>7</verify-mode> <require-starttls>1</require-starttls> <ciphers>EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH</ciphers> <id register-enable='mu'>domainname.de</id> </local>

Following the hints in c2s.xml i altered this to

 <local> <id realm='domainname.de' pemfile='/etc/jabberd2/jabber.pem' ciphers='EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH' verify-mode='7' require-starttls='mu' instructions='Geben Sie einen gueltigen Benutzernamen mit Passwort an um einzuloggen!' >domainname.de</id> <id password-change='mu' /> </local>

Then the openssl test is successfull with

--- No client certificate CA names sent --- SSL handshake has read 1700 bytes and written 138 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: Session-ID-ctx: Master-Key: 720846E32D...CA23 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1484331794 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) ---

But now NO Client will connect to the server!
I tested it with pidgin and psi and both report a ssl handshake error!

Reading the example c2s.xml i find:

<id realm='company.int' pemfile='/etc/jabberd2/server.pem' verify-mode='7' cachain='/etc/jabberd2/client_ca_certs.pem' require-starttls='mu' register-enable='mu' instructions='Enter a username and password to register with this server.' register-oob='http://example.org/register' password-change='mu' >example.net</id>

So maybe client_ca_certs.pem is missing?
But i have no idea how to generate it?

Any help would be fantastic.

Improve this question

1 Answer 1

Reset to default
0

Jabber uses STARTTLS protocol extension on port 5222, so you need to enable the extension -starttls xmpp when testing:

openssl s_client -connect my.jabber.server.net:5222 -starttls xmpp </dev/null

All the connection options for 5222 virtual hosts are set directly as attributes on <id ... /> tag.

Direct XMPP tunnelling in SSL is possible on port 5223 when enabled. The options you configure as tags under <local> ... <pemfile> etc... configure the 5223 port. If you enable this you can test without -startls option as you attempted:

openssl s_client -connect my.jabber.server.net:5223 </dev/null
Improve this answer
5
  • Yes - i already have made this tests. I tried this configuration: ` <local>` ` <id realm='mydomain.de'` pemfile='/etc/jabberd2/jabber.pem' ciphers='EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH' verify-mode='7' require-starttls='mu' instructions='...' >mydomain.de</id> <id password-change='mu' /> </local>` Then i get a working answer with openssl. But the Clients like Pidgin or PSI will not connect any more! They report : "Connection error on 0x7f07f0c20280 (reason: 5 description: SSL-Verhandlung fehlgeschlagen)" Commented Jan 15, 2017 at 9:52
  • I think that both server and client are working as designed - but the certificate is not accepted by the clients. I already opened a bug report at Pidgin for this: developer.pidgin.im/ticket/17148#ticket. The question is how to generate "the right" TLS certificate? Commented Jan 15, 2017 at 10:00
  • Most of us use letsencrypt.org nowadays Commented Jan 15, 2017 at 10:57
  • I know. But i have a bad feeling, because everyone boycott self signed certificates now. They are working perfect in Apache and Exim. Why not with XMPP and Jabber? What's about using jabber in an intranet without internet? Commented Jan 15, 2017 at 12:27
  • smoku please explain howto use the configuration option "cachain='/etc/jabberd2/client_ca_certs.pem'". This would be helpful to test other variants of certificates. Commented Jan 15, 2017 at 12:31

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.