powered by Jive Software

LDAPS auth doesn't verify cert


#1

Hi all,

I set up an OpenFire installation and configured it to use LDAP for authentication. Everything works perfectly!

Afterwards I realised that the LDAP server is using a self-signed certificate and I had forgotten to make it know to OpenFire/Java. So the fact that everything is working smoothly, is actually a bad thing.

I did some research in this forum and found a couple of discussions that indicate that OpenFire wasn’t verifying the chain in the past, but started to with release 3.10.2. I’m wondering why this behaviour was changed again – or am I missing something? – and how I can activate a proper verification again.

Thank you in advance for your support!

Cheers

Criena


#2

Since the original behavior was to accept self-signed. A change in 3.10.1 caused a lot of problems for users upgrading, so it was reverted back in 3.10.3 to the behavior everyone was expected. right or wrong, a lot of commercial products act in the same way as well. With a few small changes, it should be easy to add the certificate check, and a property value to enable it.


#3

Hi speedy, thanks for the swift reply.

Having the option would be great and I wouldn’t mind if the default would accepts self-signed certs.

In my environment OpenFire has to communicate with LDAP via an untrusted network. Having the choice to avoid MITM attacks would be appreciated. :slight_smile:


#4

I’ve created ticket OF-1234