Hello @all!
With the intention to configure the client-cert policy(Mutual Authentication) individually for starttls and ssl(legacy mode) I found out, that’s not possible, even though suggested by the Web-GUI.
The complete encryption configuration at Client Connection Settings (c2s) on the web-gui doesn’t apply separately for starttls or ssl(legacy).
They are overwriting vice versa / saved in common parameters for
-
Mutual Authentication (here: xmpp.client.cert.policy)
-
Certificate chain checking
-
Encryption Protocols
-
Encryption Cipher Suites
That’s not what the GUI-Settings suggests in each “Advanced configuration…”:
- “The configuration on this page applies to plain text (with STARTTLS) client-to-server connections.”
http://pix.academ.info/img/2016/12/14/58fff0fd7f8658474abb83fbd9f16ab9.jpg via
- “The configuration on this page applies to encrypted (legacy-mode) client-to-server connections.”
Beneath the other encryption settings I would like to set them individually for each Port.
So the common setting
- *xmpp.client.cert.policy = needed *
could be somewhat like
- xmpp.socket.plain.starttls.client.cert.policy = “”
for plain/starttls, Port 5222(def.), and
- xmpp.socket.ssl.client.cert.policy = needed
for implicit ssl (legacy mode), Default-Port 5223
What were the intentions/plans you have for these settings?
My target is to use it to separate two client groups, one with access via internal network and the other with access via internet but with the obligation to use a client-side certificate for validation. As suggested by the Web-GUI I thought it’s possible.
Thank you in award to read all and in general your support!
With best regards, sincerely,
Thomas Westerholt
PS: Sorry for my bad english