S2S TLS Connection using homemade OpenSSL certificates

Dan_Lenhardt · March 25, 2009, 3:11am

Hi everyone,

I really hope that someone can help me with an issue I’m having. I’m trying to get 2 Openfire Servers to connect using TLS, and a set of certificates that I created using OpenSSL. Not having much luck with it though.

For my purposes, this is just going to be a stand-along test environment. I am using Microsoft Virtual PC, and have an instance of the Openfire server running on each virtual machine. I am using Spark as my chat client. The clients are able to communicate successfully across servers using dialback, or with self-signed certificates, but I’m having a major problem getting the OpenSSL certs to work. Shown below are the settings I’m using for TLS:

Openfire Console Settings:

(Server Manager >> System Properties)

xmpp.auth.anonymous true

xmpp.client.tls.policy required

xmpp.server.certificate.verify true

xmpp.server.dialback.enabled false

xmpp.server.tls.enabled true

xmpp.socket.ssl.active true

(Server Settings >> Security Settings)

Client Security is set to Required

Server COnnection Security is set to Required

When I created my certs in OpenSSL, I created both RSA and DSA certs for both servers. When I use the Openfire Console to import the certificates along with their respective private keys, it does so successfully. The console is succesfully displaying CA Signed for all of the certs. (I also created my own CA certs, 1 for RSA certs and 1 for DSA certs, that I import into the truststores using java keytool, before adding these certificates in the console)

The names of my Openfire Servers are vm2 and vm3. So… respectively the truststore for vm2 contains: my ca cert for rsa, ca cert for dsa, rsa cert for vm3, and dsa cert for vm3. The truststore for vm3 has the opposite, ca cert for rsa, ca cert for dsa, rsa cert for vm2, and dsa cert for vm2. Of course, all the default certificates are in the truststore too.

At this point, I’m not really sure if it’s a setting inside the Openfire Console that I’m forgetting to set, or if the problem is with my certificates. Of course I’m kinda leaning towards certificates.

Would anyone have any advice to lend? Or just other things I could possibly try? Right now I’m stumped.

-Lenny

Dan_Lenhardt · March 25, 2009, 3:14am

I probably should’ve also mentioned that I’m using version 3.6.3 of Openfire.

Walter_Ebeling · March 25, 2009, 8:38pm

Hi

I guess the answer ist “…if you are using self signed server certificats, you should ad a system property " xmpp.server.certificate.verify” and set it to “false”…" This is taken from a pretty good document explaining how to do S2S.

http://www.igniterealtime.org/community/docs/DOC-1030

Walter

Dan_Lenhardt · March 26, 2009, 11:44am

Hi Walter,

I tried altering “xmpp.server.certificate.verify” to false, however it doesn’t seem to have an effect. I gave your document a read-through as well. I have some new questions now.

Since the signer of my certs is not the same entity as the domain name using them, are they technically still considered self signed? I know I don’t have a “real” CA, but I did put CA certs that I created in my truststore, so they should be considered signed right?

I am not at the moment using a DNS server. Is this required for the certs to validate during the SSL Handshaking process? Right now, the name of my Openfire servers respectively are both the hostnames of my machines.

-Lenny

Walter_Ebeling · April 2, 2009, 8:41am

Hi Lenny,

I would assume that you certificates have to the same domain as the XMPP Server. If your certs have the domain “homedomaine.net” and your servers belong to “myjabberdomain.net” I would assume, that this will not work. You may try to create your certificates with the build in functionality of Openfire.

I can not comment on the question regarding tge SSL Handshaking process. That’s beyond my knowledge.

Walter