powered by Jive Software

Client certificate authentication (SASL-EXTERNAL) over BOSH or websocket

Hi there

Openfire supports client certificate authentication in conjunction with SASL-EXTERNAL. However, I haven’t been able to find any evidence (by scouring the web) that it supports it also over HTTPS BOSH or WSS websocket.

My understanding is that for client certificates to be supported with HTTPS/BOSH, the Openfire BOSH connection manager must explicitly request from the client a signed certificate, otherwise the browser will not send one.

Does openfire support this usecase (client certificate auth over BOSH)?


JC Brand

I think Openfire supports this through the httpbind.client.cert.policy property, which can have one of these values:

  • disabled: No authentication will be performed on the client. Client credentials will not be verified while negotiating TLS.
  • wanted: Clients will try to be authenticated. Might or migth not fail when clients provide no or an invalid certificate (not sure, might even be implementation specific)
  • needed: client needs an acceptable certificate

After having tested client certificate authentication with BOSH, I can confirm that this works, but currently not on Openfire 4.0.x.

I did however test it with version 3.10.3, and there it works. There is an open ticket for fixing it on the version 4 branch. https://issues.igniterealtime.org/browse/OF-1191

The property is “xmpp.client.cert.policy”, not “httpbind.client.cert.policy”, and there are quite a few steps involved in getting this to work.

I’ve written a blog post that covers everything I had to do: Opkode - Blog

1 Like