powered by Jive Software

Wildfire 2.6.0 SSL issues

I have two Wildfire 2.6.0 servers that run beautifully. They are on different servers on completely different networks. They are both installed as WAR applications using the latest Tomcat. The only significant difference between the two of them is that one of them (work) authenticates against Active Directory and the other (colocated personal) uses registration on its own database. They both use the internal database supplied with Wildfire.

Here’'s what is strange. When attempting to connect with SSL and/or TLS to the work server (AD), Gaim crashes and Psi cannot negotiate an encrypted connection. My personal Wildfire install works perfectly well with SSL and/or TLS…but their Security Settings are exactly the same! Below is a screenshot of the error I get with Psi and the console outputs of both servers leading up to Psi either continuing or stopping.

Server installed at work that auths against AD[/b]

[/code]

Psi’'s error message[/b]

http://www.liquid5th.net/users/abstephe/images/odd.png[/img]

Personally owned, colocated server[/b]

is the key here. Why would two very[/b] similarly configured Wildfire servers behave differently here?

Did you install your own SSL keys? Because that is exactly what I was getting when I had the DSA keys (default generated by keytool) without the RSA keys. See the “CAcert” thread (http://www.jivesoftware.org/community/thread.jspa?threadID=17752&tstart=25) for more info on generating the RSA key. (If you didn’'t change from the selfsigned certs, doublecheck that they are both there with ‘‘keytool -keystore keystore -list’’. Should list an rsa and a dsa.)

I will try this solution…however its not going to explain the differences in behavior. Both of my installs have only 1 key, generated using the documentation for a self-signed certificate. It is still unclear as to why they are behaving differently.

Hey Brent,

I see that you are using Psi that currently does not support SASL authentication but the old authentication method (i.e. iq:auth). When using the old authentication method the digest method is being used only if the user backend store supports it. As you have realized LDAP does not support digest mode so it is not being offered by the server to the client. I would recommend trying to use another client that supports SASL authentication (or maybe check if there is a newest version of Psi that supports it). Using SASL instead of iq:auth will give you a better security level.

Regards,

– Gato

Thanks. Its really sad that Gaim has such an active development process, but can’‘t seem to get this right over the last 4 releases. Even clients that use their libgaim framework (Adium) get this right. Spark gets it right too, but I guess that’'s to be expected