Re: [Operators] TLS, certificates, heartache, and pain.

Wed, 15 Oct 2008 02:25:44 -0700 

On Wed Oct 15 09:51:06 2008, Norman Rasmussen wrote:
On Wed, Oct 15, 2008 at 1:41 AM, Dave Cridland <[EMAIL PROTECTED]> wrote: 


> Anyone got any idea why this is behaving so weirdly? Does anyone  
have

> logging they could use?
> Any ideas, or even better logging data, gratefully received.



BTW: It seems like your server isn't accepting incoming IPv6  
connections

(but happily makes outgoing ones).



Ah... Does from here, thanks, I'll take a look. Given it's making  
outgoing connections, I'm guessing I've inadvertantly firewalled  
something.


Trading logs (and mine are, I admit, seriously verbose):


10/15 09:33:35 xmppd    05979 (root    ) I-MBOX-Info new connection  
from ::ffff:

41.241.78.53

10/15 09:33:37 xmppd    05979 (root    ) D-MBOX-Auth closed  
authoritative s2s co

nnection to domain NA [::ffff:88.191.13.175]

10/15 09:33:39 xmppd    05979 (root    ) N-MBOX-Notice Doing a peer  
verification
10/15 09:33:39 xmppd    05979 (root    ) X-MBOX-Debug Suppressing  
unsupported pu

rpose error.

10/15 09:33:39 xmppd    05979 (root    ) X-MBOX-Debug SSL  
depth=0:emailAddress = [EMAIL PROTECTED], CN =  
darkskies.za.net, OU = Domain validated only, O = Norman Rasmussen, L  
= Cape Town, ST = Western Cape, C = ZA
10/15 09:33:39 xmppd    05979 (root    ) N-MBOX-Notice Doing a peer  
verification
10/15 09:33:39 xmppd    05979 (root    ) X-MBOX-Debug Suppressing  
unsupported pu

rpose error.

10/15 09:33:39 xmppd    05979 (root    ) X-MBOX-Debug SSL  
depth=0:emailAddress = [EMAIL PROTECTED], CN =  
darkskies.za.net, OU = Domain validated only, O = Norman Rasmussen, L  
= Cape Town, ST = Western Cape, C = ZA
10/15 09:33:39 xmppd    05979 (root    ) N-MBOX-Notice Doing a peer  
verification
10/15 09:33:39 xmppd    05979 (root    ) X-MBOX-Debug SSL  
depth=2:emailAddress = [EMAIL PROTECTED], CN = Free SSL  
Certification Authority, OU = CA Authority Dep., O = StartCom Ltd., L  
= Eilat, ST = Israel, C = IL
10/15 09:33:39 xmppd    05979 (root    ) N-MBOX-Notice Doing a peer  
verification
10/15 09:33:39 xmppd    05979 (root    ) X-MBOX-Debug SSL  
depth=1:emailAddress = [EMAIL PROTECTED], CN = StartCom Class 1  
Intermediate CA - Jabber Software Foundation, OU = Secure Certificate  
Signing, O = Jabber Software Foundation, ST = Colorado, C = US
10/15 09:33:39 xmppd    05979 (root    ) N-MBOX-Notice Doing a peer  
verification
10/15 09:33:39 xmppd    05979 (root    ) X-MBOX-Debug SSL  
depth=0:emailAddress = [EMAIL PROTECTED], CN =  
darkskies.za.net, OU = Domain validated only, O = Norman Rasmussen, L  
= Cape Town, ST = Western Cape, C = ZA
10/15 09:33:39 xmppd    05979 (root    ) I-MBOX-Info  
IP=::ffff:41.241.78.53 version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA  
bits=256/256 compression="(None)" certificate verified=YES
10/15 09:33:39 xmppd    05979 (root    ) N-MBOX-Notice TLS identity  
selected as darkskies.za.net (default)
10/15 09:33:41 xmppd    05979 (root    ) I-MBOX-Info new receiving  
connection to darkskies.za.net host darkflame.darkskies.za.net:5269
10/15 09:33:44 xmppd    05979 (root    ) N-MBOX-Notice Doing a peer  
verification
10/15 09:33:44 xmppd    05979 (root    ) X-MBOX-Debug SSL  
depth=2:emailAddress = [EMAIL PROTECTED], CN = Free SSL  
Certification Authority, OU = CA Authority Dep., O = StartCom Ltd., L  
= Eilat, ST = Israel, C = IL
10/15 09:33:44 xmppd    05979 (root    ) N-MBOX-Notice Doing a peer  
verification
10/15 09:33:44 xmppd    05979 (root    ) X-MBOX-Debug SSL  
depth=1:emailAddress = [EMAIL PROTECTED], CN = StartCom Class 1  
Intermediate CA - Jabber Software Foundation, OU = Secure Certificate  
Signing, O = Jabber Software Foundation, ST = Colorado, C = US
10/15 09:33:44 xmppd    05979 (root    ) N-MBOX-Notice Doing a peer  
verification
10/15 09:33:44 xmppd    05979 (root    ) X-MBOX-Debug SSL  
depth=0:emailAddress = [EMAIL PROTECTED], CN =  
darkskies.za.net, OU = Domain validated only, O = Norman Rasmussen, L  
= Cape Town, ST = Western Cape, C = ZA
10/15 09:33:45 xmppd    05979 (root    ) I-MBOX-Info  
IP=2001:470:8:19c:2c0:4fff:fe43:b628 version=TLSv1/SSLv3  
cipher=AES256-SHA bits=256/256 compression="(None)" certificate  
verified=YES
10/15 09:33:47 xmppd    05979 (root    ) I-MBOX-Info successful setup  
of a receiving db connection from dave.cridland.net to  
darkskies.za.net
10/15 09:33:47 xmppd    05979 (root    ) D-MBOX-Auth closed receiving  
s2s connection to domain darkskies.za.net  
[2001:470:8:19c:2c0:4fff:fe43:b628]
10/15 09:33:48 xmppd    05979 (root    ) I-MBOX-Info lookup  
initiating an orginating session from dave.cridland.net to  
darkskies.za.net
10/15 09:33:48 xmppd    05979 (root    ) I-MBOX-Info new originator  
connection to darkskies.za.net host darkflame.darkskies.za.net:5269
10/15 09:33:51 xmppd    05979 (root    ) N-MBOX-Notice Doing a peer  
verification
10/15 09:33:51 xmppd    05979 (root    ) X-MBOX-Debug SSL  
depth=2:emailAddress = [EMAIL PROTECTED], CN = Free SSL  
Certification Authority, OU = CA Authority Dep., O = StartCom Ltd., L  
= Eilat, ST = Israel, C = IL
10/15 09:33:51 xmppd    05979 (root    ) N-MBOX-Notice Doing a peer  
verification
10/15 09:33:51 xmppd    05979 (root    ) X-MBOX-Debug SSL  
depth=1:emailAddress = [EMAIL PROTECTED], CN = StartCom Class 1  
Intermediate CA - Jabber Software Foundation, OU = Secure Certificate  
Signing, O = Jabber Software Foundation, ST = Colorado, C = US
10/15 09:33:51 xmppd    05979 (root    ) N-MBOX-Notice Doing a peer  
verification
10/15 09:33:51 xmppd    05979 (root    ) X-MBOX-Debug SSL  
depth=0:emailAddress = [EMAIL PROTECTED], CN =  
darkskies.za.net, OU = Domain validated only, O = Norman Rasmussen, L  
= Cape Town, ST = Western Cape, C = ZA
10/15 09:33:52 xmppd    05979 (root    ) I-MBOX-Info  
IP=2001:470:8:19c:2c0:4fff:fe43:b628 version=TLSv1/SSLv3  
cipher=AES256-SHA bits=256/256 compression="(None)" certificate  
verified=YES
10/15 09:33:54 xmppd    05979 (root    ) I-MBOX-Info successful setup  
originating db connection from dave.cridland.net to darkskies.za.net
10/15 09:33:54 xmppd    05979 (root    ) N-MBOX-Notice Peer  
darkskies.za.net authenticates via TLS.



So we're both using dialback, which is to be expected, but I'm  
clearly verifying your certificate and successfully extracting a  
authorization identifier from it. My certificate seems valid to at  
least proxy.sapo.pt and amessage.de:



10/15 00:39:48 xmppd    05979 (root    ) I-MBOX-Info Successfully  
authenticated as dave.cridland.net to amessage.de


And jabber.org - sometimes - appears to use my offer of EXTERNAL:


10/15 00:46:47 xmppd    05979 (root    ) N-MBOX-Notice TLS identity  
selected as jabber.org (default)
10/15 00:46:47 xmppd    05979 (root    ) N-MBOX-Notice S2S TLS auth  
with explicit identity jabber.org



Does your server always do dialback, or does it sometimes do  
TLS-based authentication? Does it do it with jabber.org? Does anyone?  
Ever?



I know that TLS based authentication works fine between myself and at  
least one other Isode M-Link deployment with a valid certificate, but  
whilst I'd be happy with a solution of "deploy Isode M-Link  
everywhere", I'm not convinced that's a practical proposition. ;-)



other than that, you could use my proxy-xmpp-tls script [1] to test
connections to your server with openssl

[1] www.darkskies.za.net/~norman/scripts/proxy-xmpp-tls


Ta, I'll have a look.

Dave.
--
Dave Cridland - mailto:[EMAIL PROTECTED] - xmpp:[EMAIL PROTECTED]
 - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
 - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade






















					Reply via email to