10

trying to connect my jabber client (pidgin) to a jabber server with self signed certificate, I am getting an "unable to validate certificate" error.

As it is not possible to tell the client not to validate the chain, I would like to get the certificate chain in order to import it there. Therefore I use:

openssl s_client -connect my.jabber.server.net:5222 </dev/null

I am getting the following answer:

openssl s_client -connect cup1.sprachdienst.fraunhofer.de:5222

> CONNECTED(00000003) 140472458057376:error:140790E5:SSL
> routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
> --- no peer certificate available
> --- No client certificate CA names sent
> --- SSL handshake has read 0 bytes and written 213 bytes
> --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE
> ---

Why don't I get the certificate chain while my jabber client does?

ProfHase85
  • 451
  • 3
  • 6
  • 13

4 Answers4

9

The solution is: Jabber requires starttls:

openssl s_client -connect my.jabber.server.net:5222 </dev/null -starttls xmpp

returns the certificate

ProfHase85
  • 451
  • 3
  • 6
  • 13
2

As noted in a previous answer, Jabber/XMPP requires -starttls.

Client-to-server (c2s) certificate for my.jabber.server.net.

openssl s_client -connect my.jabber.server.net:5222 </dev/null -starttls xmpp

To expand upon that answer, there are two types of connections:

  • Normal client logins: -starttls xmpp, default port 5222
  • Connection between servers: -starttls xmpp-server, default port 5269

Server-to-server (s2s) certificate for my.jabber.server.net.

openssl s_client -connect my.jabber.server.net:5269 </dev/null -starttls xmpp-server

With openssl v1.1.0+ you can also check custom domains, with the -xmpphost <domain> flag, or use the option alias -name in openssl v1.1.1+.

Client-to-server (c2s) certificate for custom domain other.example.org hosted by my.jabber.server.net:

openssl s_client -connect my.jabber.server.net:5222 </dev/null -starttls xmpp -xmpphost other.example.org

Server-to-server (s2s) certificate for custom domain other.example.org hosted by my.jabber.server.net:

openssl s_client -connect my.jabber.server.net:5269 </dev/null -starttls xmpp-server -xmpphost other.example.org
Joel Purra
  • 121
  • 5
0

Easy Way,

  1. Close Pidgin
  2. Find your certificates folder (Win­dows: %appdata%\.purple) (Linux: /home/<Username>/.purple/certificates/x509/tls_peers)
  3. Delete everything in the certificate folder.
  4. Restart pid­gin and eventually you should get a new certificate that works.

P.S: Windows users who aren’t familiar with %app­data% just type %appdata%\.purple in your address bar and press enter.

Nullpointer
  • 164
  • 8
  • Not if your server is presenting a self-signed cert (although it's not good to blindly accept a cert downloaded in this fashion). If this is happening to you, you'll see: `nss: ERROR -8172: SEC_ERROR_UNTRUSTED_ISSUER` in the debug window for one of the received certs. – noobish Apr 03 '17 at 19:05
-1

Generating the self-signed cert with the following command worked for me:

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout example.key -out example.crt -subj /CN=example.com -addext subjectAltName=DNS:example.com,DNS:example.net,IP:10.0.0.1

(Command found here)

Quantim
  • 1,269
  • 11
  • 13
Ren
  • 1
  • Hi, the question is about how to get already generated and installed certificate from the jabber server, not generating new one. – Quantim Feb 19 '19 at 06:37