Client cert allows any JID

I have client certificates up and working. We use a java program to log into openfire and correspond with other JIDs. This java program passes a certificate and a user. However, if the certificate CN doesn’t match the user, the user is still logged in with the username, rather than the certificate CN name. Any ideas?

Bump. Any ideas?

You mean, that you have some custom Java application which is using some kind of certificates to identify the user? I don’t see how this is related to Openfire. Openfire is only asking for username and password, so if it gets one it doesn’t matter to the server whether it has to match something else. I think you should investigate your java app.

No, openfire has client certificate checking and CRL checking built in, NOT just user/pass checking. This same behavior happens with both our custom client application, and

Openfire client certificate documentation:

(see posts by slushpupie - OpenFire PKI Question )

Re: Openfire+Spark - Client X.509/PKI Certificate Support

Ah, sorry. Thought that PKI tab in Spark is related to SSO stuff. Didn’t know about such certificates support in Openfire. slushpupie is not active in this project for many years. Wonder if anyone else knows about this stuff.