powered by Jive Software

Web-Gui - c2s settings: Encr. settings doesn't apply separately for starttls or ssl(legacy)

Hello @all!

With the intention to configure the client-cert policy(Mutual Authentication) individually for starttls and ssl(legacy mode) I found out, that’s not possible, even though suggested by the Web-GUI.

The complete encryption configuration at Client Connection Settings (c2s) on the web-gui doesn’t apply separately for starttls or ssl(legacy).

They are overwriting vice versa / saved in common parameters for

  • Mutual Authentication (here: xmpp.client.cert.policy)

  • Certificate chain checking

  • Encryption Protocols

  • Encryption Cipher Suites

That’s not what the GUI-Settings suggests in each “Advanced configuration…”:

  • “The configuration on this page applies to plain text (with STARTTLS) client-to-server connections.”

http://pix.academ.info/img/2016/12/14/58fff0fd7f8658474abb83fbd9f16ab9.jpg via

  • “The configuration on this page applies to encrypted (legacy-mode) client-to-server connections.”

Beneath the other encryption settings I would like to set them individually for each Port.

So the common setting

  • *xmpp.client.cert.policy = needed *

could be somewhat like

  • xmpp.socket.plain.starttls.client.cert.policy = “”

for plain/starttls, Port 5222(def.), and

  • xmpp.socket.ssl.client.cert.policy = needed

for implicit ssl (legacy mode), Default-Port 5223

What were the intentions/plans you have for these settings?

My target is to use it to separate two client groups, one with access via internal network and the other with access via internet but with the obligation to use a client-side certificate for validation. As suggested by the Web-GUI I thought it’s possible.

Thank you in award to read all and in general your support!

With best regards, sincerely,

Thomas Westerholt

PS: Sorry for my bad english

Hello

As it seems that no one knows an answer here: Could my question be better situated in the devs-section?

Sorry for my impatience :wink:

With best regards, sincerely,

Thomas Westerholt

No difference where to post really. There are not many active devs watching this forum.

I would issues the described behave as a bug.