Empty blank window when using self-signed SSL certificates

Hello everyone,

We’ve been using two Spark clients (Debian & Windows) and an Openfire server without issues so far. We recently started adding self-signed certificates to our XMPP configuration, but met an issue regarding the Windows client. Here are some details :

I am trying to use Spark 2.9.0 (released today) to connect to my Openfire server. I have generated a self-signed CA, which I used to generate another certificate for my Openfire server, and imported them both in Openfire.

From the same CA, I have also generated two certificates for my Spark clients (I use a Windows 2.9.0 jre-bundled version, and a Debian 2.9.0-SNAPSHOT version which we built from sources a few months ago when 2.9.0 wasn’t released yet).

On the Debian client, I imported my client certificate in the “Mutual auth” tab, and everything seems to be working as expected : on the first connection, I am prompted to add my Openfire server’s certificate to the Spark truststore, which worked fine. I can then connect once again successfully and chat with other users.

My issue is regarding the Windows client. I applied the same steps as I did on the Debian client, however when I finally connect after adding the server’s cert to the truststore, the Spark window is completely blank and empty (see screenshot :

). On a side-note, I had also tried this with a 2.9.0-SNAPSHOT Windows version built from the same sources as the Debian version. I tried this new 2.9.0 release today to check if the issue remained.

I went ahead and started it using the startup.bat script and a -debug flag to get some logs : log.txt (20,4 Ko). There is a bunch of exceptions but all regarding UI classes, so I’m not really sure where to look to debug.

I don’t think my certificates generation is the issue since the Debian client works fine, so I’m creating this post to get some help from the community.

Thanks for reading

I don’t think you need to use mutual auth (this is to auth with a server using a special certificate, not for regular SSL connections). Remove that setting and just try connecting to your server with the latest 2.9.0 version. I would also try with a fresh Spark profile. It should prompt you about accepting self-signed certs and then to accept your certificate.

1 Like

Thanks a lot, I deleted my Spark folder in %appdata% (I am guessing that’s what you meant by “a fresh Spark profile”), restarted Spark, accepted my cert and this time it worked ! I can chat with other users.

I’m not really sure what was wrong to be honest. I left my client cert in the mutual auth tab since I’m probably going to set mutual auth up in my Openfire configuration though.

While I’m here, I noticed the PKI tab was gone, how would I go about adding a user certificate in a Spark keystore now ? I am going to need that to do some message signature in a Spark plugin.

Well, i can’t answer what you should do, i only know that PKI tab was removed as it was probably replaced with some other mechanism and was not needed anymore. But i haven’t used mutual auth myself. @Alameyo ?

Spark 2.9.0 has a new tab in its settings menu that replaces the functionality of the PKI tab. This new tab is called ‘mutual auth’

I must admit that any testing of this functionality was very light - I’d not be surprised if you ran into issues with it. I would appreciate your feedback!

2 Likes

You should add your client certificates through that Choose file button. After that click Ok on the bottom of this panel. You can use it also to create CSR but note that you will still need to sign it with some kind of CA trusted by server.

You can also create self signed certificate which is fine if you want to test some things but for production deployment it isn’t recommended.

Alternatively if you don’t like UI (but then I will be sad as I have created it :stuck_out_tongue: ) you can use Java Keytool directly on Spark’s Keystore or on JDK Keystore

1 Like

Thanks everyone,

I had already added a Windows spark client certificate to its Mutual auth tab, but I did not configure that yet on Openfire so I’m guessing it’s not useful yet.

I had also planned to sign all outgoing messages (and verify the signature of incoming ones) with XMLDSIG (https://www.w3.org/TR/xmldsig-core1/ EXAMPLE 9 for instance). This is going to require another certificate, this time associated to the user sending the messages.

If the PKI tab is replaced by the Mutual auth tab, that means I’m going to have to add this new certificate in the Mutual auth tab as well. Will I be able to access the user certificate’s info from my Spark plugin this way ?

I honestly do not know. I expect that you can always load things directly from the keystore(s) that are used. @Alameyo wrote most of that code, maybe he can help you. I do think that a bit of experimentation on your end will be needed though.

@Alameyo I’m trying to test certificate revocation in Spark but I have an issue.

Here’s my setup: I have a cert loaded in Spark mutual auth tab, containing a CRL distribution point, pointing to revocation lists on my own web server (HTTP). I revoked the loaded cert, generated the revocation list and put it in the path I mentioned in the cert’s CDP on my web server (in both PEM and DER formats).

Now I expect to get an invalid status on the certificate when I click “Check validity” on the cert in Spark UI, but it remains valid, and I can still connect to Openfire even with mutual auth enforced in its configuration.

Do you want me to create another post about it maybe ? I’d like to know if someone got that to work, maybe with another format than DER and PEM, or another protocol than HTTP.

Cheers

Server ( Openfire ) is responsible for checking the revocation of certificates in Mutual Auth. So: you load certificates in the Mutual Auth tab, Spark will send them to a server, the server will check if certificates are valid or not.

As of button Check Validity goes it should also check revocation from CRL. I have no idea now why you have a problem. From security point verification is done by the server for certificates in Mutual Auth tab so no worries. However, this button also was working when I was checking it last time.

Perhaps there is something wrong with your CRL or there might be a bug in the Spark. I would need to investigate it a bit more ( some time passed since I implemented it up to the release).

Ok thanks for your input. What disturbs me the most is that I can still connect to my Openfire server even with mutual auth enforced and my revoked client certificate. I don’t have too much experience setting up CRL distribution points though so there might definitely be an issue on my end.

Is there any more logs I can have regarding CRL verification in Spark maybe ? I already tried launching it via the startup.bat script and the -debug flag, but I did not find anything relevant. I will try to check the validity of my revoked cert with an external tool such as openssl to pinpoint the issue.

If you are sending certificate as client then it’s server’s responsibility to reject this certificate if revoked.

Try to experiment with different options regarding certificates in Openfire. I think there could be something tricky around this to make it work but I don’t remember well as a bit of time passed since I worked on this implementation in Spark and tested it against Openfire.

I couldn’t find a set of settings that prompted me an error when using revoked certificates. I identified a checkRevocation function in Spark’s CertManager, I will probably look into that later to troubleshoot in Spark and check if the issue’s on my end.

To add to that, I was looking to how you handled the different keystores in Spark and I found that the password (changeit) to both the keystores and the certificates is hardcoded. Is there an evolution-tagged issue already opened about that I think it would be nice to set it externally if we want to secure Spark. IIRC with the PKI tab we were able to set the keystore’s location and password right ?