Ive been working on getting this going, and the latest Beta should have more functionality for doing client based SSL auth. To date, Ive not found a client that does SSL auth with SASL EXTERNAL, but I did motify tkabber to do so (it was pretty trivial to do so). Ive been slowly working on Smack to support it, which means Spark is next on the list.
thanks for your prompt reply. Well, if I understand it correctly then all I need is already available. Tkabber which allows for client authentication & Openfire 3.4.0 beta1 which lets me set
xmpp.client.cert.policy system property. I tried my hand at it and the server doesn’t let the authentication handshake to complete if the property value is set to “needed”. Which is great! The problem I face now is that I see many fields in Tkabber such as sslcertfile, sslcacertstore, sslkeyfile and I tried to put (cacert.pem, privkey.pem: OpenSSL) these files in those fields but the authentication process doesn’t complete and Tkabber simply jams.
Do I understand it correctly when I say that the functionality I need is available in the form of Tkabber & Openfire 3.4.0 beta1. If yes, then I would really appreciate if you could help me configure the above mentioned Tkabber fields correctly.
I am working on client certificates issues. I just want to get a prototype client to work, so I use the the same certificates for both Openfire and XMPP client. I copy the Openfire’s keystore file to my XMPP client’s root directory, run my client with arguments: -Djavax.net.ssl.keyStore=keystore -Djavax.net.ssl.keyStorePassword=mypassword, it always fails when Handshake. The server information is: SocketAcceptorIoProcessor-0.0, fatal error: 42: null cert chain, could you please point me if the way I am working is right? Thanks.
We are too very interested in TLS/SASL client authenication based on certificates. User login can still be username/password based, but we are longing for the day when we have both client and user authentication based on cerificates. Is it scheduled for a near time release in Smack and Openfire? Let us know how we can help in the requirements process and testing.
BTW what is the current thinking around audit logs and accountability?
BTW what is the current thinking around audit logs and accountability?
What information would you need to store? Do you need to store IP, user, password of each attempt where the certs were not trusted? How would you need to retrieve/report that info. Is there any standard around this?
The two parts of my posting was not 100% correlated. The audit log would more be used after the fact. You were autenticated (and authorized) but did something that is to be scrutinized. Accountability.