Hello All,
I have a device that connects to Openfire using mutual authentication (2way ssl).
I was of the understanding that if my device authenticated with the server AND i had my JID in the certificate (e.g. CN=123456789@xmpp.mydomain.com )
My device would be automatically logged in… But this does not seem to be the case.
Is there someway i can be logged into the server just by using mutual authentication?
Thanks
Regards
Stuart
Hmm, I think that Openfire should support this. Are the client certificates (or the CA that created them) in the Openfire client truststore? Have you enabled “mutual authentication” under Server -> Server Settings -> Client Connections -> Advanced Configuration ?
Try turning up the log level to “debug”, and see what’s being logged in the all.log file when you attempt to login with a client.
Hello Guss,
I have managed to get the box to connect to the server. Looking at the packet captures on wireshark my device appears to connect and then send an xmpp ping to keep the connection open…which is what it is supposed to do.
BUT, my device doesn’t appear in my sessions windows…
When a device connects and authenticates using ssl, I assume we should have an account created for it already?
(i do…but it still doesn’t appear)
Any thoughts as to what may be happening?
Should my device send a presence stanza first before it appears in the sessions screen?
Thanks for your help.
Regards
Stuart
Hi Stuart,
Moments ago, there was another reply from you that now appears to be gone. I’m not sure if you manually deleted it, or if this website is acting up. This was my response though.
Sadly, the debug log that you found shows only the messages logged level ‘debug’, not any others (such as ‘info’, ‘warn’, etc). There’s a log file called all.log in your openfire home directory that comines everything. That will give more contextual data. Also, consider to attach files rather than copy them inline. Makes for easier reading.
From the logs that you pasted, I can’t make out what’s going wrong. One thing that did catch my eye was this error:
2016.07.20 13:15:09 org.apache.mina.filter.ssl.SslHandler - Unexpected exception from SSLEngine.closeInbound().
Although it might be benign, it could also indicate that it’s the client that breaks off communication. It might be worth checking its logs, if you haven’t done so already.
Hello Guus,
Yes, I deleted that message as I believed i had made some progress on having the device connect to the server and hence thought I wouldn’t bother you with it…but i have attached the file below.
I have turned off the compression option on the server and have changed the encryption type the server uses (because wireshark couldn’t decode the default one that was being chosen) . I can now decrypt the traffic going between the device and the server and it appears as though my device is now connecting to the server.
BUT
In wireshark, once the ssl connection has been established, my device send a start packet and the server replies with a packet.
After that, both side remain silent except for my device sending an xmpp ping to the server every two minutes to keep the connection alive.
The fact that the device sends an xmpp ping and the server replies at the tcp level with an ACK would indicate that both sides are happy with the connection…but the device doesn’t show up in the “Sessions” screen and i am unable to communicate with that device using my windows xmpp client.
(my windows xmpp client logs in using a username and password)
Interested to know where else i can start looking.
Thanks for your help
Regards
Stuart
P.S. i changed the jids and domains in the log file to protect the innocent
all.log.zip (27779 Bytes)
Hello Guus,
I got it all working .
I had to add one more setting to the server to get it to work.
I added
sasl.mechs = EXTERNAL
and it connected without a problem.
Thanks for your help
Much appreciated
Stuart