I painfully made a self signed cert for my email with the intermediate step of 
makeling a cert that mints the final cert. Basically a three  step process.

 Do I remember how I did this? Nope. But I should be able to do it again. I 
will work on this a bit. But if you want to change the code, I'm more than 
willing to build the binary again.

Email works just fine with self signed certs, but you have additional schemes 
to prove your identity, though few email service providers bother. (SPF and 
DKIM prove you control the server/DNS and have open source programs to do this. 
‎But of course a cert from an authority does that in one step.) 

I suspect you wouldn't want s2s to use a self signed cert, so allowing two 
level of verification (c2s and s2s) sounds complex. You fix one thing in 
software and you break something else.

I think the best scheme is for me to do the three step self signed cert. 
Obviously I will document this if I get it to work, replacing the old 

I noticed the online documentation doesn't completely match the xml, but there 
are enough comments in the xml that I could get close to setting it up. It is 
just the certs that are confusing.

  Original Message  
From: Tomasz Sterna
Sent: Tuesday, May 3, 2016 9:17 AM
To: jabberd2@lists.xiaoka.com
Reply To: jabberd2@lists.xiaoka.com
Cc: Jabber/XMPP software development list
Subject: Re: self signed cert

W dniu 03.05.2016, wto o godzinie 02∶12 -0700, użytkownik
li...@lazygranch.com napisał:
> jabberd2 version(2.3.6)
> I followed these instructions:
> https://github.com/jabberd2/jabberd2/wiki/InstallGuide-OpenSSLConfigu
> ration
> [...]
> SM  : sx (ssl.c:405) secure channel not established, handshake in
> progress
> SM  : sx (ssl.c:59) verify error:num=18:self signed
> certificate:depth=0:/C=US/ST=state/L=city/O=none/OU=none
> /CN=mydomain.org/emailAddress=webmas...@mydomain.org
> ----------------------------------------------------

I guess I could catch X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT (18)
in SSL_CTX_set_verify callback and pass the cert through,
but I'm ambivalent about it...

We should really discourage use of self-signed certificates.
On the other hand, it really speeds-up test deployments.

Maybe have it as an opition, to enable if you really-really need to use
self-signed certificates?

What do you think?

smoku @ http://abadcafe.pl/ @ http://xiaoka.com/

Reply via email to