Is TLS/SSL working with smack3.3.0 API?

plamen · August 7, 2013, 5:39pm

I am trying to use the SSL and TSL connections from my smack 3.3.0-based XMPP client to an Openfire 3.8.2 server. SSL port 5223 is configured and I imported the self-signed cetificates to the client host, following openfire instructionsare. When trying to conenct SSL, the server doesn’t respond. Only the following initial packet is sent:

<stream:stream to=“my.xmpp.server.com” xmlns=“jabber:client” xmlns:stream=“http://etherx.jabber.org/streams” version=“1.0”></stream:stream>

My client doesn’t establish connection, neither can other clients I tested, like Pidgin, Psi, when configured to use SSL port 5223.

TLS connection seems to work with the self-signed certificates. I see the tags in the raw XML packets, assuming the data is exchanged encrypted, but does the client authenticate the server? I connect with TLS without importing any (self-signed) certificates, on port 5222.

I wonder if smack API do implement self-signed certificate authentication? or is it left up to developers to add-on the authentication management ? Are the self-signed certificates used or authentication is done differently(like DNS) or not done et all? Is using self-signed certificate follow different logic than CA certificates?

Flow · August 8, 2013, 12:45am

TLS is working. Legacy XMPP SSL support, i.e. often on port 5223, was dropped IIRC a few years ago. How SSL certificates, especially self signed ones, are handled depends for example on the TrustManager configured Smack with.

plamen · August 12, 2013, 1:24pm

Hi Flow. I configured the SSL connection with the self certificate. It was a matter of correctly importing the cert, and using the run-time JVM SSLFactory, with a TrustManager wich does the job. I could have gone along the line of DummySocketFactory, but that requires an implementation of the TrustManmager interface, ssl context and managing all possiblee scenarios.

I have a question about TLS. It works, and it appears, it doesn’t matter if I have the self-certificate imported or not. Is Smack SocketFactory/TrustManager validating the certificate on-the-fly, without a need of importing it?

If I acquired CA cert for Openfire, is Smack SocketFactory( my client code ) going to authenticate the CA cert aginst the default trust store(cacerts ) or I need to handle it in code?

thanks