JWChat and Wildfire 4.6.2, Require SSL

Openfire Openfire Support
1

Hi there,

First off I really would like to thank the developers of Wildfire and people involved in these forums. I’‘ve been setting up Wildfire for my company and it has been a breeze, particularly with the support forums, which have been one of the best I’'ve ever been on.

I’‘ve been doing a lot of research on JWChat on these forums and others, and I (think) I’'ve successfully set it up, by simply deploying Tomcat and configuring it for SSL, and placing the jwchat.war (and jabberHTTPBind0.3) in the webapps folder. My problem is more of a question to check if my theory is correct:

My company wants to force users to use SSL/TLS as many of our employee’‘s tend to pass passwords over IM. Therefore in the “Security” tab of the Admin console, I set client connections to “require”. Furthermore we want to provide staff with the option of connecting to the jabber server via a webclient (hence the want for jwchat). My problem is that I can successfully connect to wildfire via jwchat when I set the client connections to “Optional” SSL security, but if I set it to “Require” then jwchat refuses to connect. Also if I go to the jwchat login page via https (I have configured tomcat to accept https traffic), and login via https, the wildfire admin console does not report that I am connected using a secure connection (i.e. no padlock next to my name in the “Sessions” tab in the wildfire admin console). I suspect that it is because jabberHTTPBind0.3 does not have SSL support and therefore cannot connect to the jabber server using SSL. As a result it doesn’‘t report on the wildfire admin console as connected via SSL. I also suspect that SSL over HTTP and SSL Jabber connections have nothing to do with each other, and I’'m confusing myself. Is this correct? or is my understanding a bit off?

I’‘m using wildfire 2.6.1 connecting to openldap for authentication all sitting on SUSE10. I found this site: http://jwchat.sourceforge.net/dev.shtml , that sort of agrees with what I’'m thinking in that it states that SSL is one of the features in the future versions of jabberHTTPBind, but I just want to check.

I hope I’‘m not asking stupid questions, I’‘m just out of University in a System admin role and I’'m learning (plus its my first major project and I want to give a good impression)

Thanks!

Gene

2

Welcome Gene,

port 5222 allows plaintext and TLS connections. Currently there is no option[/b] to open more ports or ports with different configurations, like e.g. 127.0.0.1:5222 with accepts only plaintext and 10.1.1.1:5222 which accepts only TLS. <-- not yet possible !!

Port 5223 uses (old) SSL and is therefore encrypted.

If you have a firewall you may force all clients to connect to port 5223 and block port 5222 - so everyone would be sure that encryption is used.

Then you could allow Tomcat to connect to port 5222 using a plaintext connection. As Wifi+JWChat are running on the same server this should be not a problem and usually makes no sense for encryption.

As you are using Tomcat/SSL the web connections to the clients are encrypted but Wifi can not know this.

It’'s a poor solution to block port 5222 and a lot of users may complain but it seems to be the only possible solution right now.

I think it is projected to offer much better configuration options, but I have no idea when they will be available. Maybe you want to write a patch for this and submit it?

LG