I am curious what is being done to improve the way Openfire handles certificates and secure s2s communication.
At present, any CSR I generate through the Openfire 3.3.2 web interface (ssl-certificates.jsp) are seen as invalid by Startcom, who XMPP Federation use. They are also seen as invalid by most commercial SSL certificate resellers such as Tucows and namecheap.com. Godaddy however seem to be able to read and process the CSR my Openfire generates.
Working around it on the command line with the latest keytool can apparently work but most people won’'t bother and end up using self-signed certs and turning mandatory encryption off, which is not good for the community as a whole.
The other thing is that even if I get a CA signed RSA cert and install it properly, I cannot tell Openfire to make encryption mandatory on s2s. It will keep complaining that the other server offered no SASL mechanisms. I saw many threads touch on this issue but none resolved it.
Even if sasl.mechs only have PLAIN enabled, it won’'t work.
Is anything being done to improve this situation ? I want to be able to install a CA signed cert and enforce encryption for s2s traffic.