Up to Discussions in Openfire Support

This Question is Not Answered

1 "correct" answer available (10 pts) 2 "helpful" answers available (5 pts)
3 Replies Last post: May 5, 2008 2:03 PM by Alex Ferguson  
Alex Ferguson Bronze
Alex Ferguson
2 posts since
May 3, 2008
Currently Being Moderated

May 3, 2008 1:37 PM

OpenFire PKI Question

 

Does anyone know of a problem with the Open Fire server not handling PKI certificates correctly. I'm just starting to get into this (newbie) and could use some help. I've been told that if you're trying to authenticate with PKI, the client handles it correctly....but you can put an expired certificate on the server and when the server tries to authenticate, it will still work with an expired certificate.

 

 

 

 

Anyone know if this is true or not or have any experience with PKI authentication?

 

 

 

 

Alex

 

 

Tags: pki, server, authentication, ssl
slushpupie KeyContributor
slushpupie
705 posts since
Jan 27, 2006
Currently Being Moderated
May 3, 2008 5:39 PM in response to: Alex Ferguson
Re: OpenFire PKI Question

I added the PKI support in, but it never got well documented. So here we go:

 

First, set these server properties:

 

xmpp.client.cert.policy : needed

xmpp.client.certificate.crl : path to CRLs in a single file in PEM format. 

xmpp.client.certificate.verify : true

xmpp.client.certificate.verify.chain : true

xmpp.client.certificate.verify.root : true

xmpp.client.certificate.verify.validity : true

xmpp.client.certificate.accept-selfsigned : false  (or set to true, and make sure the cert itself is in the CA list described below)

 

Next, you need to add the CA's (and any intermediate CA's) to the client truststore. The client truststore is only used for verifying clients, and has no impact on the normal s2s verifications, so its ok to keep it limited to just CA's you trust. In fact, you dont want any CA's listed that you dont trust. This file is defined in the property xmpp.socket.ssl.client.truststore or defaults to resources/security/client.truststore (it should exist and be empty by default). If you want to use your own file located elsewhere (say from a tomcat install, or whatever) make sure you update both that property, and xmpp.socket.ssl.client.trustpass with the password to the truststore.

 

After the above config changes, restart openfire. It will require c2s connections present a cert from the known CA's.  Normal authentication will still be in effect, though.  If you have a client that supports it, you can enable EXTERNAL authentication to skip the password requirement of logins.  At the moment, I think only Spark from svn supports this- if you know of another version let me know.  To enable EXTERNAL auth in openfire, you need to edit the openfire.xml, and add (or modify) the sasl section so it looks like this:

 

 

EXTERNAL]]>  (you can add others in there too, if you want to allow them; such as PLAIN, CRAM-MD5, etc)

 

This means the CN of the client cert must exactly match the JID of the user. At the moment we dont have any good mapping methods.

 

If you need help with any of this, just speak up. I dont think Ill be writing a document anytime soon since there are not many (any?) people using this besides me right now.  This post might just become the documentation

Report Abuse
slushpupie KeyContributor
slushpupie
705 posts since
Jan 27, 2006
Currently Being Moderated
May 3, 2008 5:42 PM in response to: slushpupie
Re: OpenFire PKI Question

Oh, and by the way.  Java's handling of CRL's is very memory intensive. General rule of thumb, take the CRL file size and multiply by two and thats how much memory the CRLs will take up alone.  Im working on OCSP support which should make this better.

Report Abuse
Alex Ferguson Bronze
Alex Ferguson
2 posts since
May 3, 2008
Currently Being Moderated
May 5, 2008 2:03 PM in response to: slushpupie
Re: OpenFire PKI Question

 

What's the time frame for you finishing up the OCSP support?

 

 

 

 

Alex

 

 

Report Abuse

More Like This

  • Retrieving data ...