Openfire, TLS, and intermediate certs - not working?

Seth2 · September 25, 2010, 6:24am

Setup: Openfire 3.7.0 Beta and Prosody (0.8 nightly from a couple weeks ago, but confirmed on 0.6.1 and 0.7)

s2s encryption: required

Openfire cert: self-signed (default)

Prosody cert: GoDaddy with bundled intermediates (4 certs in certfile)

s2s connection succeeds from Prosody to Openfire. However, it appears that when Openfire tries to establish a TLS connection to Prosody, it doesn’t know how to handle the chained certificates presented. If the certificate file contains only the first cert, the connection succeeds. However, this has the unfortunate side effect of producing validation warnings to clients (as the cert doesn’t chain properly).

I think there may be a bug in the way Openfire processes certificates from remote systems when there are intermediates involved.

Reproduced on two different systems.

Server options tried:

xmpp.server.certificate.accept-selfsigned = true

xmpp.server.certificate.verify = false

xmpp.server.certificate.verify.chain = false

xmpp.server.certificate.verify.root = false

xmpp.server.certificate.verify.validity = false

Paul_C_Bryan · February 8, 2011, 5:30pm

Bump. I’ve seen this issue now too. Any word on whether this is an issue with OpenFire or Prosody?

Johan1 · February 9, 2011, 9:33am

It sounds related to the issue in this thread: http://community.igniterealtime.org/message/209073#209073 They got a working patch that fixes the certificate issue in s2s mode but it changes how OF handles certificates so use carfully…

guus · April 9, 2011, 5:49pm

We’re tracking this issue as OF-405 in our issue-tracker.

dwd · June 4, 2014, 7:50am

Have fix, will be going onto trunk after a review/test today.