powered by Jive Software

SASL EXTERNAL Spark X.509 Revisited (calling slushpupie :)

Hi All,

So… I would really like to get X.509 SASL EXTERNAL certificate authentication working for client to server connections. I have been testing with Spark from svn (revision 11314) and Openfire from svn (also 11314).

Each time I try to connect with Spark, the authentication does not succeed and I see two errors. First, a string index out of bounds exception from the server (you can see this in error_log.txt attached). Second, (at lines 126 and 127 in debug_log.txt) I get:

SASLAuthentication: EXTERNAL authentication via SSL certs for c2s connection

SASLAuthentication: EXTERNAL authentication requested, but no certificates found.

Openfire configuration:

I have the following Openfire options set:

Option
Value
sasl.mechs

EXTERNAL

xmpp.client.cert.policy

wanted
xmpp.client.certificate.accept-selfsigned

true
xmpp.client.certificate.verify

true
xmpp.client.certificate.verify.chain

true
xmpp.client.certificate.verify.root

true
xmpp.client.certificate.verify.validity

true
xmpp.client.tls.policy

required

I have not set xmpp.socket.ssl.client.truststore or xmpp.socket.ssl.client.trustpass because my client truststore is in the default location of resources/security/ and uses the default password (although I have also tried manually specifying them with the recommended relative path). I have also allowed self-signed certificates for testing purposes. I also don’t have xmpp.client.certificate.crl specified because I don’t have a crl I am using yet. I have also set the cert.policy to “needed” and it does the same thing.

In my client.truststore file, I have added trustedCertEntry entries with alias username and alias username@example.com (not sure which it is supposed to be). These are actually the clients’ certificates themselves, not those of a CA. I wasn’t sure if this was required, but since they are self-signed I figured I would add them each as a trusted signer. These show up in “keytool -list” as trustedCertEntry’s.

Spark Configuration:

I have a keystore that has the two keys from above in it – both with alias and common name of the form username and username@example.com (again, not sure which is required). The password to the user account and the keystore are the same. When doing a “keytool -list”, they show up as privateKeyEntry’s.

I have a truststore that contains the RSA certificate of the server (don’t think this is required but seeing as this is also self-signed, no harm in trusting this as a trusted signer right?). This show up in “keytool -list” as a trustedCertEntry.

I know there are some people out there who have gotten this to work. Any help would be very greatly appreciated…

Much Thanks!!

-Sam
debug_log.txt.zip (4290 Bytes)
error_log.txt.zip (855 Bytes)

Did you ever get this to work? I’ve been trying for some time to get this to work, with no success. I can’t even get OpenFire to send the list of trusted CA certificates in its handshake with the client. Without this list the client will never prompt the user for their certificate.