When I try to login using the Spark 2.8.2 client to our Openfire 4.0.3 server, I now get an “Unable to verify certificate error” but it worked fine with the 2.8.x and 2.7.x clients before this. The only way I can get it to login is to use “Accept all certificates (…)” option in Advanced. I have no idea if something in my certificate settings on the server is misconfigured, but it worked up until the 2.8.2 client. Again, maybe it has something to do with the fact that our server is actually named “openfire.domain.com” (not our real domain name) but it is registered and accessed through a DNS alias (I guess is what it is called) of “ims.domain.com”. Not sure. I waited several days to see if someone would comment about this, but I don’t see anyone else having this problem.
Nothing has changed with your certificate or server. In 2.8.2 this setting is disabled by default (it was enabled by default since it appearance in 2.8.0). Though it should stick when it was already enabled and in my testing it does, but apparently it doesn’t in some cases. I had numerous cases of this at work, but i can’t reproduce it myself in my tests. I’m puzzled right now why it happens.
@speedy as you were the one who introduced this setting, do you see anything what could be causing that (not obeying the setting already in LocalPreferences and switching to default)? That’s the commit changing its default value from true to false SPARK-1789 changed Accept All Certificates to disabled by default by wrooot · Pull Request #231 · igniterealtime/Spark ·…
Well, I am not sure what you mean by “stick when it was already enabled”. Do you mean on upgrading the client, I guess? I did the in-place upgrade with the full installer of 2.8.2, and when that didn’t work, I completely uninstalled Spark and reinstalled the 2.8.2, and that didn’t work either. I’m not sure I understand why this is even necessary. Are the certificates on the server self-signed?
I’m having various wild ideas. I’m starting to guess that this is happening with very old installations which were using 2.7 versions and then were upgraded to 2.8. Just like some other issues reported in the forums which are fixed by clean reinstall. When doing upgrade Spark is leaving old files behind and maybe these are causing such problems.
This setting was introduced in 2.8.0 as with upgrade to Smack 4 it became obvious that users will have problems with logging into servers with self-signed certificates. So this setting was added and enabled by default, so Spark should silently accept such certificates (which are not considered fully trusted). As time has passed by i felt that we might reverse that setting, so new users will have to make their own decision and turn that setting on if needed. But this setting should stay enabled for those, who already had it enabled. In my tests it was staying enabled when upgrading to 2.8.2. But for some reason it is getting disabled after the upgrade in some cases. Clean 2.8.2 install should had it disabled. That is expected.
Yes, certificates generated by the server (Openfire) are self-signed.
Is there any way to have a local Openfire server and this setting to not be a requirement? I guess that is the part where I am confused.
my guess…with clients that are having the issue; AcceptAllCertificates was not saved to spark.properties…so when 2.8.2 is launched for the first time, its being added with a false value.
I’ll try to see what I can figure out tonight or tomorrow! I still haven’t set up an instance at the new gig!
Do you mean to make Spark work with that setting being disabled? To have a trusted, not expired certificate (one provided by a trusted authority, like Let’s Encrypt, StartCom, etc.) installed on the server instead of self-signed ones.
Well, i guess one can also disable encryption and just use plain connections, but i don’t advise such way.
speedy, my users were already on 188.8.131.528 build (2.8.0 was 885), so they should already be having this setting. I have reproduces this once on a fresh profile. Will need to do more tests to see what is happening.
Yes, that’s what I meant. I suppose we would have to purchase a certificate in that scenario? I think we have a purchased one, but it’s for our web server. Don’t know if that’s compatible as I don’t know much about certificates.
I think certificate should be issued to the domain (or subdomain) as your server is named. Though some certificates can be of a wildcard type and cover subdomains also. I haven’t had much experience with that either. I always used self-signed ones generated by Openfire. I guess you can try adding the one you own. You can compare self-signed ones (they should be showing what domain are they issued for). Admin Console TLS/SSL certificates > Manage Identity Store link (any link).
There are also free certificates as Let’s Encrypt, But at least Let’s Encrypt only provides them via automatic tools and they expire very quickly (and will be expiring even faster in the future).
I have found the culprit. Advanced menu’s settings are never saved into spark.properties, if a user never opened that menu. So the previously introduced “Accept all certificates” setting hasn’t been saved into settings file for most of the users (as most users won’t go to that menu). As i go to that menu almost daily while testing various things, i wasn’t affected by this… Well, at least this is a one time issue. After checking that setting it will be saved during next Spark updates. [SPARK-1844] Not saving settings without opening Advanced menu once - IgniteRealtime JIRA
Well, that makes sense, but I have been in the advanced menu before. But now that I think about it, I think I completely uninstalled Spark before installing 2.8.0, then upgrading to 2.8.1, and I don’t think I had gone back into the Advanced menu until today. So probably that’s it!
Yes, you had all the other settings saved in the settings file (say Use version as a hostname with a false value if you haven’t change it), but not this one as it was introduced in 2.8.0 and it couldn’t be saved if you haven’t opened that menu after updating.