0

I want to run a jabberd2 server (V 2.40) with secure client connections.
I followed the instructions from the documentation and the server is up and running:
https://github.com/jabberd2/jabberd2/wiki/InstallGuide-OpenSSLConfiguration

But it seems that there is no secure client connection.
When i follow the hints for requesting the certificate there is no peer certificate:
Getting SSL certificate chain from jabber server 

openssl s_client -connect my.jabber.server.net:5222 </dev/null

CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 648 bytes and written 117 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE

The actual configuration is

  <local>
         <pemfile>/etc/jabberd2/jabber.pem</pemfile>
         <verify-mode>7</verify-mode>
         <require-starttls>1</require-starttls>
         <ciphers>EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH</ciphers>
    <id register-enable='mu'>domainname.de</id>
  </local>

Following the hints in c2s.xml i altered this to

  <local>
    <id realm='domainname.de'
        pemfile='/etc/jabberd2/jabber.pem'
        ciphers='EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'
        verify-mode='7'
        require-starttls='mu'
        instructions='Geben Sie einen gueltigen Benutzernamen mit Passwort an um einzuloggen!'
    >domainname.de</id>
    <id password-change='mu' />
  </local>

Then the openssl test is successfull with

---
No client certificate CA names sent
---
SSL handshake has read 1700 bytes and written 138 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID:
    Session-ID-ctx:
    Master-Key: 720846E32D...CA23
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1484331794
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---

But now NO Client will connect to the server!
I tested it with pidgin and psi and both report a ssl handshake error!

Reading the example c2s.xml i find:

<id realm='company.int'
    pemfile='/etc/jabberd2/server.pem'
    verify-mode='7'
    cachain='/etc/jabberd2/client_ca_certs.pem'
    require-starttls='mu'
    register-enable='mu'
    instructions='Enter a username and password to register with this server.'
    register-oob='http://example.org/register'
    password-change='mu'
>example.net</id>

So maybe client_ca_certs.pem is missing?
But i have no idea how to generate it?

Any help would be fantastic.

Karsten
  • 1
  • 1

1 Answers1

0

Jabber uses STARTTLS protocol extension on port 5222, so you need to enable the extension -starttls xmpp when testing:

openssl s_client -connect my.jabber.server.net:5222 -starttls xmpp </dev/null

All the connection options for 5222 virtual hosts are set directly as attributes on <id ... /> tag.

Direct XMPP tunnelling in SSL is possible on port 5223 when enabled. The options you configure as tags under <local> ... <pemfile> etc... configure the 5223 port. If you enable this you can test without -startls option as you attempted:

openssl s_client -connect my.jabber.server.net:5223 </dev/null
smokku
  • 216
  • 1
  • 3
  • Yes - i already have made this tests. I tried this configuration: ` ` ` mydomain.de ` Then i get a working answer with openssl. But the Clients like Pidgin or PSI will not connect any more! They report : "Connection error on 0x7f07f0c20280 (reason: 5 description: SSL-Verhandlung fehlgeschlagen)" – Karsten Jan 15 '17 at 09:52
  • I think that both server and client are working as designed - but the certificate is not accepted by the clients. I already opened a bug report at Pidgin for this: https://developer.pidgin.im/ticket/17148#ticket. The question is how to generate "the right" TLS certificate? – Karsten Jan 15 '17 at 10:00
  • Most of us use https://letsencrypt.org nowadays – smokku Jan 15 '17 at 10:57
  • I know. But i have a bad feeling, because everyone boycott self signed certificates now. They are working perfect in Apache and Exim. Why not with XMPP and Jabber? What's about using jabber in an intranet without internet? – Karsten Jan 15 '17 at 12:27
  • smoku please explain howto use the configuration option "cachain='/etc/jabberd2/client_ca_certs.pem'". This would be helpful to test other variants of certificates. – Karsten Jan 15 '17 at 12:31