SSL Working, Client Auth Isn't

Openfire Openfire Support
1

I have spent a bunch of time over the past week trying to get Openfire working with SSL. I have a really good handle (or so it seems) on how to get the SSL working, with publicly rooted, privately rooted and self-signed certificates. Lots of hiccups but I can consistently get certificates generated an imported and working into the server.

However I’m getting nowhere with turning on the client authentication. I can’t find anywhere information on:

  • how to turn it on (I’ve tried a number of things but the clients - Pidgin and Spark don’t prompt me for certs)

  • how to manage what certs to trust (can I simply import a CA root and have all certs from it trusted)

  • how to I map cert attributes to users

  • how do I manage certs in the clients - can I import CA roots ahead of time or do I just have to manage them as they come in

What I tried so far after I got the SSL working is:

  • added the system property sasl.mechs=EXTERNAL

  • added the system property xmpp.client.cert.policy=required

I’d really appreciate it if anyone can give me any guidance on how to get it working. If I’m able to pull together all the info I need I’d be more than happy to pull together a new SSL configuration guide that covers off all of the new features and publish it here.

2

I guess the first thing I need confirmed is, whether or not client certificate authentication is supposed to work at all. The SSL Guide states “you may wish to require SSL authentication for certain clients when security is especially important and the number of clients connection to the server is relatively small.” but I can’t find any mention anywhere about how to enable SSL authentication. I’ve set the cert.policy property to required but none of my clients are ever prompted to provide a client certificate. I would expect if I point a browser to https://www.myserver.com:5223 the browser should get the valid SSL certificate (which it does) and prompt me to select a client certificate (which it doesn’t).

Is this supposed to work?

3

Not sure about Pidgin, but Spark doesn’t prompt about accepting the certs (at least about self-signed ones). Spark should show a yellow locker symbol in the lower right corner of the Roster window. This means that Spark is running in secure mode.

4

How did you get your ssl to work? is it a signed CA ssl? I know there are alot of people in the community who is asking the same question as I have been trying to find a solution for some time now.

What version of Openfire and most of all, how did you get it to work?