SSL/TLS Support for SPARKWEB

Alexey_Eronko · March 30, 2009, 1:10pm

Hello,

Is is any news available about TLS/SSL support on SPARKWEB product. I have just install last version and it seems that it doesn’t support ssl/tls connection for jabber server.

I can’t deploy it for my users without crypto support.

Regards,

Era+

K_Vargo · April 9, 2009, 5:23pm

I’m also very interested in this.

Joe_Drobick · April 9, 2009, 9:06pm

I’m also wondering when this will be added to SparkWeb. This is the only thing preventing us from using it.

Charles3 · April 16, 2009, 6:00pm

This is also the only thing that is preventing me from deploying SparkWeb. With all the security features of Openfire, I don’t see how crypto isn’t supported for the web client.

Jason_L · April 16, 2009, 7:03pm

its been on their to do list for a while, but I don’t think the priority is very high. We are in the same boat. I believe the red5 version supports tls

K_Vargo · May 1, 2009, 3:06pm

I haven’t yet checked to see if it makes a difference, but there were some issues I noticed in the TLS stuff with smack as of, at least, 3.1.0; I posted a couple of simple patches here:

http://www.igniterealtime.org/community/message/190988#190988

Only the one setting TLS enabled when it sees is even remotely relevant. You could give that a shot, maybe. I’ll be looking into SparkWeb next, so I’ll report back if i find anything out.

K_Vargo · May 7, 2009, 12:03pm

Hi Jason – I read your thread about https binding for SparkWeb (http://www.igniterealtime.org/community/thread/32224), but it’s not clear to me whether/not the communication occurs over https; and if so how? For instance, I think what I’m seeing with a configuration like:

return {
    server: "localhost"
    bindPath: "/http-bind/",
    port: "7443",
    connectionType: "https",
    //port: "7070",
    //connectionType: "http",
    autoLogin: "false"
};

Is that the login (a/k/a bind) happens over :7443/HTTPS, but the subsequent actual jabber session takes place over plain 5222. If I try to “require” “client.tls” then I get the standard “server requires TLS but connection was never secured” error, and a failure.

Is there something else I’m missing? I’ve not tried red5 yet, but I thought that using 7443 and http-bind meant that the flash app would connect through 7443 over HTTP/S?

K_Vargo · May 7, 2009, 3:45pm

Sorry, this does work, provided you’re not trying to do client authentication on :7443. At which point (with debug>enabled>true) you’ll get a “no_certificate” error on the server, and nothing on the client:

2009.05.07 09:58:05 JettyLog: EXCEPTION
javax.net.ssl.SSLProtocolException: handshake alert: no_certificate
at com.sun.net.ssl.internal.ssl.ServerHandshaker.handshakeAlert(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.recvAlert(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(Unknown Source)
at javax.net.ssl.SSLEngine.unwrap(Unknown Source)

Charlie2 · May 28, 2009, 4:40pm

Hi Vargok,

I am running OF 3.6.3 and Sparkweb 0.9 on the same Windows server and authenticate the user through AD.

I am able to connect Sparkweb through TLS/SSL connection and these are my setting:

I enabled HTTP-BINDING and set HTTPS-Binfing to port 7443 (Default).
I installed Apache with SSL certificate installed and I placed sparkweb folder content in the htdocs folder (Apache Document root).
Then I modified the sparkweb index file (sparkweb.html) with this following entries:

function jive_sparkweb_getConfig()
{
return {server: “myserver.com”,
connectionType: “https”,
port: “7443”,
autoLogin: “false”,
policyFileURL: “xmlsocket://myserver.com:5229”
};
};

Restart the OpenFire.

User connects to the web jabber (Sparkweb) through https://myserver.com and I can see the network stat on the user computer shows that the user’s computer connected to port 443 for initial login ONLY and then after passing the authentication process it is connected through port: 7443 while the browser still shows https connection.

I checked on the jabber session and found the sparkweb connection is Authenticated and using SSL/TLS connection.

My current issue:

Recently I have users who are in the restricted network which only allows certain outgoing connection ports and they do not allow outgoing traffice through port 7443. They suggested me to use port 80 and 443 which are currently I have used these ports for Apache (Sparkweb connection).

Has anybody tried to change the HTTPS or HTTP binding port to 443 or 80? Or is there anybody who has same network situation and has a solution or suggestion?

Thanks in advance.

Charlie

wroot · May 29, 2009, 5:52am

For the first 4-5 requesters: there are a coiple of ways to achieve TLS with SparkWeb. One of them by using Red5 version of SparkWeb. http://www.igniterealtime.org/community/docs/DOC-1553

Dennis_Schulze · January 1, 2010, 8:53am

Hey everyone,

just registered here since I want to share following info:

I’m currently running Openfire 3.6.4 with SparkWeb 0.9 on Windows (with IIS 6.0) and SSL/TLS encryption is working.

Not really sure what was needed in the end, since it took me a while and some testing until I got it running right.

Here’s the Openfire server settings that I think might be relevant,

httpbind.enabled

true

httpbind.port.plain

105

httpbind.port.secure

106

xmpp.auth.sharedSecretEnabled

true

xmpp.client.tls.policy

required

xmpp.component.socket.port

7070

xmpp.httpbind.scriptSyntax.enabled

true

xmpp.socket.plain.port

443

xmpp.socket.ssl.active

true

xmpp.socket.ssl.port

5222

Using above settings for openfire, (and having Ports 105, 106, 443 5222 and 9091 opened in my router’s firewall) SparkWeb works just fine, IF the required certificate is installed on the client machine.

Initially I wanted to make it possible for users with restricted connection to the internet (only port 80/443) to use SparkWeb with SSL too, but this did not work for me.

I think at least three open ports are needed for encryption to work, plus one port to access the webinterface itself - IIS with self-signed cert is listening on port 8080 and serving SparkWeb page requests on my system - due to 443 being used to enable at least unsecured login for those “proxy-victims”. Additionaly the same SparkWeb page is available on port 9091. Each webserver (IIS on port 8080 and the openfire web server on port 9091) has its own certificate which must be installed on the client side, and: trying to login to sparkweb from a non-HTTPS/“normal” HTTP webpage with “connectionType: https”, like below, doesn’t work for me - instead I need to go via the ssl-encrypted webpage to login using tls. Which is fine since users can decide through choice of login page if they want to login using TLS or unencrypted…

Here’s my working SparkWeb config for SSL:

Hope this will help somebody in some way,

Greets

Dennis

aishu_chandran · March 23, 2010, 2:11pm

Hi,

I want to enable a single sign on facility to sparkweb.

I created one web application where the users are login and entered into home page.And when I click on chat link in the home page,

it automatically pop u sparkweb with automatical login.

I integrated sparkweb with my web page.The problem is that the users have to automatically login to sparkweb when they login to my custom web application.

I am using jsp for my web application

Is there any suggestion?

Thanks in advance