powered by Jive Software

Openfire, TLS, and intermediate certs - not working?

Setup: Openfire 3.7.0 Beta and Prosody (0.8 nightly from a couple weeks ago, but confirmed on 0.6.1 and 0.7)

s2s encryption: required

Openfire cert: self-signed (default)

Prosody cert: GoDaddy with bundled intermediates (4 certs in certfile)

s2s connection succeeds from Prosody to Openfire. However, it appears that when Openfire tries to establish a TLS connection to Prosody, it doesn’t know how to handle the chained certificates presented. If the certificate file contains only the first cert, the connection succeeds. However, this has the unfortunate side effect of producing validation warnings to clients (as the cert doesn’t chain properly).

I think there may be a bug in the way Openfire processes certificates from remote systems when there are intermediates involved.

Reproduced on two different systems.

Server options tried:

xmpp.server.certificate.accept-selfsigned = true

xmpp.server.certificate.verify = false

xmpp.server.certificate.verify.chain = false

xmpp.server.certificate.verify.root = false

xmpp.server.certificate.verify.validity = false

Bump. I’ve seen this issue now too. Any word on whether this is an issue with OpenFire or Prosody?

It sounds related to the issue in this thread: http://community.igniterealtime.org/message/209073#209073 They got a working patch that fixes the certificate issue in s2s mode but it changes how OF handles certificates so use carfully…

We’re tracking this issue as OF-405 in our issue-tracker.

Have fix, will be going onto trunk after a review/test today.