I painfully made a self signed cert for my email with the intermediate step of
makeling a cert that mints the final cert. Basically a three step process.
Do I remember how I did this? Nope. But I should be able to do it again. I
will work on this a bit. But if you want to change the code, I'm more than
willing to build the binary again.
Email works just fine with self signed certs, but you have additional schemes
to prove your identity, though few email service providers bother. (SPF and
DKIM prove you control the server/DNS and have open source programs to do this.
But of course a cert from an authority does that in one step.)
I suspect you wouldn't want s2s to use a self signed cert, so allowing two
level of verification (c2s and s2s) sounds complex. You fix one thing in
software and you break something else.
I think the best scheme is for me to do the three step self signed cert.
Obviously I will document this if I get it to work, replacing the old
I noticed the online documentation doesn't completely match the xml, but there
are enough comments in the xml that I could get close to setting it up. It is
just the certs that are confusing.
From: Tomasz Sterna
Sent: Tuesday, May 3, 2016 9:17 AM
Reply To: email@example.com
Cc: Jabber/XMPP software development list
Subject: Re: self signed cert
W dniu 03.05.2016, wto o godzinie 02∶12 -0700, użytkownik
> jabberd2 version(2.3.6)
> I followed these instructions:
> SM : sx (ssl.c:405) secure channel not established, handshake in
> SM : sx (ssl.c:59) verify error:num=18:self signed
I guess I could catch X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT (18)
in SSL_CTX_set_verify callback and pass the cert through,
but I'm ambivalent about it...
We should really discourage use of self-signed certificates.
On the other hand, it really speeds-up test deployments.
Maybe have it as an opition, to enable if you really-really need to use
What do you think?
smoku @ http://abadcafe.pl/ @ http://xiaoka.com/