Re: testing jabberd2 TLS with openssl s_client
thanks for the detailed description, this was really helpful. the pre-starttls strings clarifies the behaviour. i am going to try to setup a second SM, one for guuk.eu and one for xmpp.guuk.eu, this should solve my issue. thanks again and greetings -mog
Re: testing jabberd2 TLS with openssl s_client
i found the error by myself. IMHO this is a bug within jabberd2 not responding to openssl s_client calls while using the FQDN instead of the domain part of the JID. especially because some xmpp clients give you the ability to connect to another host instead of your domain part of your JID. while using the FQDN of my host i am not getting a response from openssl s_client: root@cargo:/etc/jabberd2 2015/05/10 03:21:31 # openssl s_client -CApath /etc/ssl/certs -starttls xmpp -connect xmpp.guuk.eu:5222 CONNECTED(0003) ^C using the domain part of the JID is giving me a response: root@cargo:/etc/jabberd2 2015/05/10 03:22:59 # openssl s_client -CApath /etc/ssl/certs -starttls xmpp -connect guuk.eu:5222 CONNECTED(0003) depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority verify return:1 depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 2 Primary Intermediate Server CA verify return:1 depth=0 C = DE, ST = Hessen, L = Wiesbaden, O = G\C3\BCnther K\C3\BCnzel, CN = xmpp.guuk.eu, emailAddress = p... @guuk.eu verify return:1 --- Certificate chain 0 s:/C=DE/ST=Hessen/L=Wiesbaden/O=G\xFCnther K\xFCnzel/CN=xmpp.guuk.eu/emailAddress=p... @guuk.eu i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority 2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority --- Server certificate the certification chain is only working, because my certificate is signed for both, xmpp.guuk.eu and guuk.eu. not sure how to proceed with that, but it looks like it was a nice try to use username @ domainname.tld for JIDs. it's just not working. looks like i have to use username @ hostname.domainname.tld ... greetings -mog
Re: testing jabberd2 TLS with openssl s_client
I wouldn't say it's a bug. You didn't show us the complete configuration file, but I am assuming you did not configure jabberd2 to also serve xmpp.guuk.eu, so when you try to connect to xmpp.guuk.eu jabberd2 doesn't know that it should also serve users for x...@xmpp.guuk.eu. If you need that you can just configure a second session manager. There is an issue with openssl that you ran into, that might have helped you to find this out yourself. It's that when you connect like this openssl s_client -starttls -connect example.com:5222 when there is a server running at example.com:5222, but it's not configured to serve example.com then openssl doesn't show you that error message, but it just prints CONNECTED(0003) (and get's stuck in an endless loop ...) Which is not entirely incorrect, after all it established a connection, but the starttls part failed, and it doesn't print an error message. So you _can_ in fact use user @ domainname.tld ! You can just not debug it with openssl :-) Yaxim works, because it's smarter that openssl. It connects to xmpp.guuk.eu, but it sends the correct hostname guuk.eu in it's pre-starttls connection data stream to='guuk.eu' version='1.0' openssl doesn't know that you want to connect as u...@guuk.de, the only information it has is the host xmpp.guuk.de so it sends that instead. stream to='xmpp.guuk.eu' version='1.0' for which your server is not configured, it responds with host-unknown, which openssl doesn't show you. So the bug is in fact in openssl: http://rt.openssl.org/Ticket/Display.html?id=2860user=guestpass=guest If you want to use u...@guuk.de instead of u...@xmpp.guuk.de just configure it, and if it works in yaxim it will probably work in all other clients. Karim i found the error by myself. IMHO this is a bug within jabberd2 not responding to openssl s_client calls while using the FQDN instead of the domain part of the JID. especially because some xmpp clients give you the ability to connect to another host instead of your domain part of your JID. while using the FQDN of my host i am not getting a response from openssl s_client: root@cargo:/etc/jabberd2 2015/05/10 03:21:31 # openssl s_client -CApath /etc/ssl/certs -starttls xmpp -connect xmpp.guuk.eu:5222 CONNECTED(0003) ^C using the domain part of the JID is giving me a response: root@cargo:/etc/jabberd2 2015/05/10 03:22:59 # openssl s_client -CApath /etc/ssl/certs -starttls xmpp -connect guuk.eu:5222 CONNECTED(0003) depth=2 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Certification Authority verify return:1 depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 2 Primary Intermediate Server CA verify return:1 depth=0 C = DE, ST = Hessen, L = Wiesbaden, O = G\C3\BCnther K\C3\BCnzel, CN = xmpp.guuk.eu, emailAddress = p... @guuk.eu verify return:1 --- Certificate chain 0 s:/C=DE/ST=Hessen/L=Wiesbaden/O=G\xFCnther K\xFCnzel/CN=xmpp.guuk.eu/emailAddress=p... @guuk.eu i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority 2 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority --- Server certificate the certification chain is only working, because my certificate is signed for both, xmpp.guuk.eu and guuk.eu. not sure how to proceed with that, but it looks like it was a nice try to use username @ domainname.tld for JIDs. it's just not working. looks like i have to use username @ hostname.domainname.tld ... greetings -mog -- pgpGiY9Yet9T4.pgp Description: PGP signature
Re: testing jabberd2 TLS with openssl s_client
so, i checked my configuration, but i am stuck, no ideas anymore what is missing or wrong. that's the software i am using. jabberd2 from unstable and openssl from testing (debian) # dpkg --list jabberd2 openssl Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-==---== ii jabberd2 2.3.3-2 amd64 Jabber instant messenger server ii openssl1.0.2a-1 amd64 Secure Sockets Layer toolkit - cryptographic utility only c2s.xml and sm.xml are changed, the rest of the configuration is unchanged. # diff c2s.xml.dpkg-dist c2s.xml 141c141,144 id register-enable='mu'localhost.localdomain/id --- id realm='' pemfile='/etc/ssl/private/xmpp.guuk.eu.pem' require-starttls='yes' guuk.eu/id 373c376 modulesqlite/module --- modulepam/module # diff sm.xml.dpkg-dist sm.xml 79c79 idlocalhost.localdomain/id --- idguuk.eu/id 93c93 driversqlite/driver --- driverfs/driver here is concatenation of my PEM file # cat /etc/ssl/certs/xmpp.guuk.eu.crt /etc/ssl/private/xmpp.guuk.eu.key /etc/ssl/certs/sub.class2.server.ca.pem /etc/ssl/certs/ca.pem /etc/ssl/private/xmpp.guuk.eu.pem the log file of c2s, as you can see, yaxim is able to connect the server using TLS # tail -f /var/log/jabberd2/c2s.log Sat May 9 10:48:23 2015 [notice] starting up Sat May 9 10:48:23 2015 [info] process id is 12710, written to /var/run/jabberd2/c2s.pid Sat May 9 10:48:23 2015 [notice] modules search path: /usr/lib/x86_64-linux-gnu/jabberd2 Sat May 9 10:48:23 2015 [info] loading 'pam' authreg module Sat May 9 10:48:23 2015 [notice] initialized auth module 'pam' Sat May 9 10:48:23 2015 [notice] [guuk.eu] configured; realm=, registration disabled, using PEM:/etc/ssl/private/xmpp.guuk.eu.pem Sat May 9 10:48:23 2015 [notice] attempting connection to router at 127.0.0.1, port=5347 Sat May 9 10:48:23 2015 [notice] connection to router established Sat May 9 10:48:23 2015 [notice] [0.0.0.0, port=5222] listening for connections Sat May 9 10:48:23 2015 [notice] ready for connections Sat May 9 10:48:38 2015 [notice] [7] [192.168.178.7, port=50074] connect Sat May 9 10:48:39 2015 [notice] [7] PLAIN authentication succeeded: m...@guuk.eu 192.168.178.7:50074 TLS Sat May 9 10:48:39 2015 [notice] [7] bound: jid=m...@guuk.eu/yaxim.492DDC63 and here is the openssl command which gets stuck after the CONNECTED message. # openssl s_client -CApath /etc/ssl/certs -starttls xmpp -connect xmpp.guuk.eu:5222 CONNECTED(0003) ^C i am lost :) any ideas? thanks in advance and greetings -mog
Re: testing jabberd2 TLS with openssl s_client
Dnia 2015-05-08, piÄ… o godzinie 22:47 +0200, Guenther Kuenzel pisze: what i expect is a dump of the certificate chain, like it is with all other protocols which are supported by openssl s_client. any ideas? Misconfigured server? With my server it works just fine... 23:34 ~ $ openssl s_client -CApath /etc/ssl/certs -starttls xmpp -connect chrome.pl:5222 CONNECTED(0003) depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA [...] i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority [... and so on ...] -- /o__ Q: How do you stop an elephant from charging? (_^' A: Take away his credit cards. signature.asc Description: This is a digitally signed message part
Re: testing jabberd2 TLS with openssl s_client
what i expect is a dump of the certificate chain, like it is with all other protocols which are supported by openssl s_client. any ideas? Misconfigured server? With my server it works just fine... 23:34 ~ $ openssl s_client -CApath /etc/ssl/certs -starttls xmpp -connect chrome.pl:5222 CONNECTED(0003) depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA looks like i have to check my configuration. i assumed TLS was working fine, because i could connect to my server with TLS using yaxim and kopete, but not with openssl s_client. thanks for your fast answer.