I painfully made a self signed cert for my email with the intermediate step of makeling a cert that mints the final cert. Basically a three step process.
Do I remember how I did this? Nope. But I should be able to do it again. I will work on this a bit. But if you want to change the code, I'm more than willing to build the binary again. Email works just fine with self signed certs, but you have additional schemes to prove your identity, though few email service providers bother. (SPF and DKIM prove you control the server/DNS and have open source programs to do this. But of course a cert from an authority does that in one step.) I suspect you wouldn't want s2s to use a self signed cert, so allowing two level of verification (c2s and s2s) sounds complex. You fix one thing in software and you break something else. I think the best scheme is for me to do the three step self signed cert. Obviously I will document this if I get it to work, replacing the old documentation. I noticed the online documentation doesn't completely match the xml, but there are enough comments in the xml that I could get close to setting it up. It is just the certs that are confusing. Original Message From: Tomasz Sterna Sent: Tuesday, May 3, 2016 9:17 AM To: firstname.lastname@example.org Reply To: email@example.com Cc: Jabber/XMPP software development list Subject: Re: self signed cert W dniu 03.05.2016, wto o godzinie 02∶12 -0700, użytkownik li...@lazygranch.com napisał: > jabberd2 version(2.3.6) > I followed these instructions: > https://github.com/jabberd2/jabberd2/wiki/InstallGuide-OpenSSLConfigu > ration > [...] > SM : sx (ssl.c:405) secure channel not established, handshake in > progress > SM : sx (ssl.c:59) verify error:num=18:self signed > certificate:depth=0:/C=US/ST=state/L=city/O=none/OU=none > /CN=mydomain.org/emailAddress=webmas...@mydomain.org > ---------------------------------------------------- I guess I could catch X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT (18) in SSL_CTX_set_verify callback and pass the cert through, but I'm ambivalent about it... We should really discourage use of self-signed certificates. On the other hand, it really speeds-up test deployments. Maybe have it as an opition, to enable if you really-really need to use self-signed certificates? What do you think? -- smoku @ http://abadcafe.pl/ @ http://xiaoka.com/