powered by Jive Software

Firewall Issues and Certificate Conversion

I’'m running Wildfire 1.6.2 and I want clients to be able to connect through an SSL/TLS connection on an additional port (443 on a secondary IP address, not the one the main listener is running on). The main idea behind this is, that clients behind a HTTP Proxy can connect to my server through a HTTPS fake. If this is in someway impossible, please tell me about and why this is so.

Additionaly I have PEM certificates and want to use them inside Wildfire, but I can’'t find a tool to convert them into the Java Keystore format. If someone know an easy way to convert them, please let me know.

Thanks.

Hi,

clients behind a HTTP Proxy can connect to my server through a HTTPS fake” makes sense if you mean HTTPS Proxy. You may read http://web.amessage.info/firewalled/ for more information, but it should be indeed that simple.

Using an additional port will be the problem, currently this is as far as I know not possible. And configuring another IP address is also not possible. So you may want to use a simple TCP proxy which listens on a secondary IP address and port 443 and connects to your Wifi server.

LG

Can you point me to such an TCP proxy?

Hi,

I did never try a simple one, but http://siag.nu/pen/ offers a small one with load balancing / fail over capabilities, so a true overkill. I did not find the time to test it with Wifi but I’'m running it for over a year a small and buggy web application (3 servers behind pen to make sure that one is always reachable) and it did not cause any trouble so far.

OffTopic: Because of the Wifi database cache one can not use it for a hot backup Wifi server, maybe one writes a Wifi plugin to purge the cache remotely and to make sure that only one server is active.

LG

Ok, I did it with iptables instead. It seems to work great. Here the simple and short command, working on Debian Sarge:

iptables -t nat -A PREROUTING -p tcp -m tcp -d :5223

But now I still have no progress with converting my certificates. Some tips or a simple convert tool would be great.

Dimedo,

You beat me to it, yes, that is perfect, that is teh way to do it.

iptables can redirect any traffic on any port, from any ip or any port, to any port on any other ip, and is a great way to accomplish this. As you know.

xmpp:jason@sjobeck.com