Hi All,
So… I would really like to get X.509 SASL EXTERNAL certificate authentication working for client to server connections. I have been testing with Spark from svn (revision 11314) and Openfire from svn (also 11314).
Each time I try to connect with Spark, the authentication does not succeed and I see two errors. First, a string index out of bounds exception from the server (you can see this in error_log.txt attached). Second, (at lines 126 and 127 in debug_log.txt) I get:
SASLAuthentication: EXTERNAL authentication via SSL certs for c2s connection
SASLAuthentication: EXTERNAL authentication requested, but no certificates found.
Openfire configuration:
I have the following Openfire options set:
Option
Value
sasl.mechs
EXTERNAL
xmpp.client.cert.policy
wanted
xmpp.client.certificate.accept-selfsigned
true
xmpp.client.certificate.verify
true
xmpp.client.certificate.verify.chain
true
xmpp.client.certificate.verify.root
true
xmpp.client.certificate.verify.validity
true
xmpp.client.tls.policy
required
I have not set xmpp.socket.ssl.client.truststore or xmpp.socket.ssl.client.trustpass because my client truststore is in the default location of resources/security/ and uses the default password (although I have also tried manually specifying them with the recommended relative path). I have also allowed self-signed certificates for testing purposes. I also don’t have xmpp.client.certificate.crl specified because I don’t have a crl I am using yet. I have also set the cert.policy to “needed” and it does the same thing.
In my client.truststore file, I have added trustedCertEntry entries with alias username and alias username@example.com (not sure which it is supposed to be). These are actually the clients’ certificates themselves, not those of a CA. I wasn’t sure if this was required, but since they are self-signed I figured I would add them each as a trusted signer. These show up in “keytool -list” as trustedCertEntry’s.
Spark Configuration:
I have a keystore that has the two keys from above in it – both with alias and common name of the form username and username@example.com (again, not sure which is required). The password to the user account and the keystore are the same. When doing a “keytool -list”, they show up as privateKeyEntry’s.
I have a truststore that contains the RSA certificate of the server (don’t think this is required but seeing as this is also self-signed, no harm in trusting this as a trusted signer right?). This show up in “keytool -list” as a trustedCertEntry.
I know there are some people out there who have gotten this to work. Any help would be very greatly appreciated…
Much Thanks!!
-Sam
debug_log.txt.zip (4290 Bytes)
error_log.txt.zip (855 Bytes)