Sparkweb SSL/TLS Help

Hi - Im hoping someone can help me or direct me to the correct docuements regard the issue that I am trying to figure out for over 2 weeks (its driving me crazy). I’ve installed Openfire v3.6.4 with the latest SparkWeb files on Debian Lenny however when I try to change ‘client connection security’ to ‘required’ I receive a “TLS was required by the server and connection was never secured. Closing connection” when accessing SparkWeb. I’ve used both the default openfire generated SSL certs and I’ve generated my own via our inhouse CA and imported the CA cert and private key into the /usr/share/openfire/resources/security/truststore. I’ve also modified sparkweb’s index.html file to:

return {
server: “[our server ip]”,
bindPath: “/http-bind/”,
port: “7443”,
connectionType: “https”,
autoLogin: "false"
policyFileURL: “xmlsocket://[our server ip]:5229”
};

The regular 5222 socket unencrypted connection work fine however we cannot deploy sparkweb without encryption. At the moment apache is configured to use the same SSL cert in Openfire to secure the https connection however this does not secure TCP 5222 and password can be read easily using wireshark. I would be extremely grateful for any help. Thanks.

Have you read this doc? http://www.igniterealtime.org/community/docs/DOC-1553

TLS part. You will need custom Red5 SparkWeb version.

Thanks wroot. I will try this and post back.

I have followed the docuement and managed to load Red5 correctly into Openfire. When I try to log into https://[our server]:7443/red5/sparkweb/index.html nothing happens and no error message is shown. So I replaced Red5’s SparkWeb.swf with the most current version of that file. However when I try to log into SparkWeb, I receive a “Server Requires TLS which is unsupported, sorry” message. We are currently using our own CA with self signed certs. Thanks in advance.

What about the Security Settings of Openfire?

Client Connection Security is specified to required. I’ve included my system properties below. I’ve erased a some of the private fields below.

dmin.authorizedJIDs


httpbind.enabled

true

ldap.adminDN


ldap.adminPassword


ldap.autoFollowAliasReferrals

true

ldap.autoFollowReferrals

false

ldap.baseDN


ldap.connectionPoolEnabled

true

ldap.debugEnabled

false

ldap.emailField

mail

ldap.groupDescriptionField

description

ldap.groupMemberField

member

ldap.groupNameField

cn

ldap.groupSearchFilter

(objectClass=group)

ldap.host

ehserver-1

ldap.ldapDebugEnabled

false

ldap.nameField

cn

ldap.override.avatar

true

ldap.port

389

ldap.posixMode

false

ldap.searchFilter

(objectClass=organizationalPerson)

ldap.sslEnabled

false

ldap.usernameField

sAMAccountName

ldap.vcard-mapping

provider.auth.className

org.jivesoftware.openfire.ldap.LdapAuthProvider

provider.group.className

org.jivesoftware.openfire.ldap.LdapGroupProvider

provider.user.className

org.jivesoftware.openfire.ldap.LdapUserProvider

provider.vcard.className

org.jivesoftware.openfire.ldap.LdapVCardProvider

register.inband

false

register.password

hidden

sasl.gssapi.config

/usr/share/openfire/conf/gss.conf

sasl.gssapi.debug

true

sasl.gssapi.useSubjectCredsOnly

false

sasl.mechs

GSSAPI,EXTERNAL,CRAM-MD5,DIGEST-MD5

update.lastCheck

1274021467656

xmpp.auth.anonymous

false

xmpp.client.tls.policy

required

xmpp.component.socket.port

5275

xmpp.domain

eh.local
xmpp.httpbind.scriptSyntax.enabled

true

xmpp.server.certificate.accept-selfsigned

true

xmpp.server.dialback.enabled

false

xmpp.server.tls.enabled

true

xmpp.session.conflict-limit

0

xmpp.socket.plain.port

5222

xmpp.socket.ssl.active

true

xmpp.socket.ssl.algorithm

tls

xmpp.socket.ssl.port

5223

Have you changed the port to 5230 in index.html of Red5 SparkWeb? Well, i’m wild guessing here. SparkWeb is a very mystic program. I had same problems often and as it doesnt give any error it is hard to investigate.

I changed the cross domain line to 5230 and it looks like we are getting closer. At least now sparkweb says ‘Not Authorized. Please try again’ and when I go to Openfire --> logs --> warn.log I receive the following:

2010.05.17 12:34:11 Error retrieving client certificates of: org.jivesoftware.openfire.session.LocalClientSession@6f31a24c status: 1 address: eh.local/45308c48 id: 45308c48 presence:

javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at com.sun.net.ssl.internal.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl. java:352)
at org.jivesoftware.openfire.nio.NIOConnection.getPeerCertificates(NIOConnection.j ava:147)
at org.jivesoftware.openfire.net.SASLAuthentication.doExternalAuthentication(SASLA uthentication.java:499)
at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java :216)
at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:161)
at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandl er.java:133)

Looks like there may be something wrong with the actual cert or keystore…not sure. I’ve installed the server cert on all the clients and the private key resides in the keystore. The certificate in openfire states ‘pending verification’ but it seems to work just fine in https:9091 connection.

Also, are you using a self-signed cert or verified?

anyone have any suggestions?

speeder305 wrote:

Also, are you using a self-signed cert or verified?
While testing i was using only Openfire’s generated self-signed certs and wasn’t importing it on the client side.

Would you mind posting your openfire properties screen on the forum? I would be very interested to see where my properties fall short. Thanks I appreciate it.

I don’t have SparkWeb installed right now and some settings might have been changed since when it was installed. Nevertheless, here they are:

admin.authorizedJIDs

admin@wroot

broadcast.enabled

true

cache.GatewayRegistrationCache.maxLifetime

-1

cache.GatewayRegistrationCache.min

-1

cache.GatewayRegistrationCache.size

-1

cache.GatewayRegistrationCache.type

optimistic

cache.GatewaySessionLocationCache.maxLifetime

-1

cache.GatewaySessionLocationCache.min

-1

cache.GatewaySessionLocationCache.size

-1

cache.GatewaySessionLocationCache.type

optimistic

cache.KrakenRegistrationCache.maxLifetime

-1

cache.KrakenRegistrationCache.min

-1

cache.KrakenRegistrationCache.size

-1

cache.KrakenRegistrationCache.type

optimistic

cache.KrakenSessionLocationCache.maxLifetime

-1

cache.KrakenSessionLocationCache.min

-1

cache.KrakenSessionLocationCache.size

-1

cache.KrakenSessionLocationCache.type

optimistic

conversation.idleTime

10

conversation.maxTime

60

conversation.messageArchiving

true

conversation.metadataArchiving

true

conversation.roomArchiving

false

conversation.roomsArchived

demo.workgroup

true

fastpath.database.setup

true

httpbind.enabled

true

locale.timeZone

Europe/Helsinki

mail.configured

true

mail.debug

false

mail.smtp.host

smtp.gmail.com

mail.smtp.password

hidden

mail.smtp.port

587

mail.smtp.ssl

false

mail.smtp.username

wrooot

passwordKey

hidden

plugin.contentFilter.allow.on.match

false

plugin.contentFilter.filter.status.enabled

false

plugin.contentFilter.mask


plugin.contentFilter.mask.enabled

false

plugin.contentFilter.patterns

fox,dog,anykey

plugin.contentFilter.patterns.enabled

true

plugin.contentFilter.rejection.msg

Message rejected. This is an automated server response

plugin.contentFilter.rejection.notification.enabled

false

plugin.contentFilter.violation.notification.by.email.enabled

false

plugin.contentFilter.violation.notification.by.im.enabled

true

plugin.contentFilter.violation.notification.contact

admin

plugin.contentFilter.violation.notification.enabled

false

plugin.contentFilter.violation.notification.include.original.enabled

false

plugin.gateway.aim.enabled

false

plugin.gateway.facebook.enabled

false

plugin.gateway.gadugadu.enabled

false

plugin.gateway.gtalk.avatars

true

plugin.gateway.gtalk.connecthost

plugin.gateway.gtalk.connectport

5222

plugin.gateway.gtalk.enabled

true

plugin.gateway.gtalk.mailnotifications

false

plugin.gateway.gtalk.reconnect

true

plugin.gateway.gtalk.reconnectattempts

3

plugin.gateway.icq.avatars

true

plugin.gateway.icq.connecthost

login.oscar.aol.com

plugin.gateway.icq.connectport

5190

plugin.gateway.icq.crosschat

true

plugin.gateway.icq.enabled

true

plugin.gateway.icq.encoding

windows-1251

plugin.gateway.icq.mailnotifications

false

plugin.gateway.icq.reconnect

true

plugin.gateway.icq.reconnectattempts

3

plugin.gateway.irc.enabled

false

plugin.gateway.livejournal.enabled

false

plugin.gateway.msn.autonickname

false

plugin.gateway.msn.avatars

true

plugin.gateway.msn.connecthost

messenger.hotmail.com

plugin.gateway.msn.connectport

1863

plugin.gateway.msn.enabled

true

plugin.gateway.msn.mailnotifications

false

plugin.gateway.msn.reconnect

true

plugin.gateway.msn.reconnectattempts

3

plugin.gateway.myspaceim.enabled

false

plugin.gateway.qq.enabled

false

plugin.gateway.sametime.enabled

false

plugin.gateway.simple.enabled

false

plugin.gateway.xmpp.avatars

true

plugin.gateway.xmpp.connecthost

xmpp.igniterealtime.org

plugin.gateway.xmpp.connectport

5222

plugin.gateway.xmpp.enabled

true

plugin.gateway.xmpp.reconnect

true

plugin.gateway.xmpp.reconnectattempts

3

plugin.gateway.yahoo.enabled

false

plugin.raptor.profile.active

plugin.userservice.secret


register.inband

false

register.password

hidden

rss.enabled

false

spark.client.displayMessage

Nauja versija

spark.client.downloadURL

http://wroot:9090/plugins/clientcontrol/getspark

spark.windows.client

Spark 2.5.8.exe

transfer.enabled

true

update.lastCheck

1274376998609

update.notify-admins

true

update.proxy.port

-1

update.service-enabled

true

vcard.enabled

true

xmpp.audit.active

false

xmpp.audit.days

-1

xmpp.audit.filesize

10

xmpp.audit.ignore

admin

xmpp.audit.iq

false

xmpp.audit.logdir

C:\Program Files\Openfire\logs

xmpp.audit.logtimeout

10000

xmpp.audit.message

true

xmpp.audit.presence

false

xmpp.audit.totalsize

1000

xmpp.auth.anonymous

false

xmpp.auth.sharedSecretEnabled

true

xmpp.client.compression.policy

disabled

xmpp.client.idle

-1

xmpp.client.tls.policy

optional

xmpp.component.defaultSecret

test

xmpp.component.socket.active

false

xmpp.domain

wroot

xmpp.filetransfer.enabled

true

xmpp.httpbind.scriptSyntax.enabled

true

xmpp.muc.enabled

false

xmpp.offline.quota

102400

xmpp.offline.type

bounce

xmpp.proxy.enabled

false

xmpp.proxy.port

7777

xmpp.server.certificate.accept-selfsigned

false

xmpp.server.compression.policy

disabled

xmpp.server.dialback.enabled

true

xmpp.server.permission

whitelist

xmpp.server.socket.active

true

xmpp.server.tls.enabled

true

xmpp.session.conflict-limit

0

xmpp.socket.plain.port

5222

xmpp.socket.ssl.active

true

Where do you change these? I’m kinda lost on this one.

Admin Console > Server > System Properties (http://wroot:9090/server-properties.jsp)

Ah, thanks.