TLS "SERVER HELLO" send "Distinguished Names" after update

ofIgor · July 15, 2019, 9:39am

Hello,

after update 3.9.3 to 4.3.2.0 server send the list of Distinguished CA Names in the SERVER HELLO.

Registry was not changed.

System: Windows Server 2012 R2 Standard

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
Value name: SendTrustedIssuerList
Value type: REG_DWORD
Value data: 0 (False)

Value name: ClientAuthTrustMode
Value type: REG_DWORD
Value data: 2

How can I deactivate Distinguished CA Names in the SERVER HELLO?

ofIgor · August 6, 2019, 8:51am

Hello,

Is TLS handshake in Openfire or Java SDK?
Where can I find the sources?

thanks

ofIgor · August 7, 2019, 1:45pm

Hello,

In the Openfire Changelog I could not find any clue.
I have compared versions 3.9.3 and 4.3.2.

Which class is responsible for server certificate request?
Does the startTLS function decide whether Distinguished Names are set?

Version 3.9.3, class NIOConnection.java, function startTLS.

TrustManager [] tm = new TrustManager [] {new ClientTrustManager (ksTrust)};
TrustManager [] tm = new TrustManager [] {new ServerTrustManager (remoteServer, ksTrust, this)};

Version 4.3.2, class NIOConnection.java, function startTLS.

final SslFilter filter = factory.createClientModeSslFilter ();
final SslFilter filter = = factory.createServerModeSslFilter ();

I tried the following parameters:

org.jivesoftware.openfire.net SASLAuthentication.java (3.9.3)
xmpp.server.certificate.verify

org.jivesoftware.openfire.net ServerTrustManager.java (getAcceptedIssuers ()) (4.3.2)
xmpp.server.certificate.verify
xmpp.server.certificate.verify.chain
xmpp.server.certificate.verify.root
xmpp.server.certificate.accept-selfsigned

Distinguished names have been set.

Which class / function creates Distinguished Names?

ofIgor · August 9, 2019, 1:30pm

Hello,

I change the parameters:
xmpp.server.certificate.accept-selfsigned
xmpp.client.certificate.accept-selfsigned

Distinguished Names are not empty in the 4.3.2

When true must
ServerTrustManager.getAcceptedIssuers and
ClientTrustManager.getAcceptedIssuers
send empty array:

public X509Certificate [] getAcceptedIssuers () {
if (JiveGlobals.getBooleanProperty (ConnectionSettings.Server.TLS_ACCEPT_SELFSIGNED_CERTS, false)) {
// Answer to empty list since we accept any issuer
return new X509Certificate [0];
}

public X509Certificate [] getAcceptedIssuers () {
if (JiveGlobals.getBooleanProperty (“xmpp.client.certificate.accept-selfsigned”, false)) {
// Answer to empty list since we accept any issuer
return new X509Certificate [0];
}

can you help?