Openfire

Openfire fails to verify chained certificates

Details

  • Type: Bug Bug
  • Status: Resolved Resolved
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: None
  • Fix Version/s: 3.7.1
  • Component/s: Core
  • Labels:
    None

Description

(3:52:24 PM) jdev@conference.jabber.org/seth: sorry to privmsg you, but I was hoping I could get your help on what looks like an openfire issue. Do you have a minute to chat?
(3:54:28 PM) Guus: hi
(3:54:34 PM) jdev@conference.jabber.org/seth: hi
(3:54:48 PM) Guus: actually, I'm very busy :/
(3:54:58 PM) jdev@conference.jabber.org/seth: yes
(3:54:59 PM) jdev@conference.jabber.org/seth: http://community.igniterealtime.org/thread/42845
(3:55:06 PM) jdev@conference.jabber.org/seth: intermediate (chaining) certs
(3:55:15 PM) jdev@conference.jabber.org/seth: ignore my emails
(3:55:16 PM) jdev@conference.jabber.org/seth: yeah
(3:55:31 PM) jdev@conference.jabber.org/seth: the emails were when I thought this issue was related to another - it's not - I spent last week testing it
(3:55:49 PM) jdev@conference.jabber.org/seth: the problem is when the certfile presented to openfire has more than one cert in it. Openfire drops the tls connection
(3:56:01 PM) Guus: ah
(3:56:08 PM) Guus: that might explain for some issues that I've been seeing
(3:56:27 PM) jdev@conference.jabber.org/seth: I have a godaddy cert which requires 3 intermediates
(3:56:41 PM) jdev@conference.jabber.org/seth: When I bundle them, openfire to prosody fails.
(3:56:52 PM) jdev@conference.jabber.org/seth: when I use just my cert (get rid of the other intermediates), it works
(3:57:01 PM) jdev@conference.jabber.org/seth: BUT then the clients complain because the chaining is broken
(3:58:25 PM) jdev@conference.jabber.org/seth: I also tried all the (documented) available options.
(3:58:37 PM) Guus: I'm terribly busy at the moment
(3:58:44 PM) jdev@conference.jabber.org/seth: ok
(3:58:44 PM) Guus: I'll copy/paste this conversation in a new JIRA issue
(3:58:48 PM) Guus: and figure it out later, ok?
(3:59:09 PM) jdev@conference.jabber.org/seth: thanks. yeah. THis is a bit important to me, so any attention you could give it would be greatly appreciated. Thank you very much.
(3:59:26 PM) Guus: I'm always happy to accept patches
(3:59:43 PM) jdev@conference.jabber.org/seth: I don't know java at all. If openfire were written in python, ...

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Scott Macdonald added a comment -

thei forum post might be the same issue.. and it seems one of the posters has created a patch... this is a blocking issue fro me to continue to use openfire.

http://community.igniterealtime.org/message/206943

Show
Scott Macdonald added a comment - thei forum post might be the same issue.. and it seems one of the posters has created a patch... this is a blocking issue fro me to continue to use openfire. http://community.igniterealtime.org/message/206943
Hide
Permalink
Guus der Kinderen added a comment -

Variuos commenters in threads linked to this issue appear to be right. The method org.jivesoftware.openfire.Connection.getLocalCertificates() returns one certificate chain, not a collection of equivalent certificates. Only the first certificate in the chain is the local certificate.

Show
Guus der Kinderen added a comment - Variuos commenters in threads linked to this issue appear to be right. The method org.jivesoftware.openfire.Connection.getLocalCertificates() returns one certificate chain, not a collection of equivalent certificates. Only the first certificate in the chain is the local certificate.
Hide
Permalink
Guus der Kinderen added a comment -

Modified code in such a way that it will only check the first cert in a chain.

Show
Guus der Kinderen added a comment - Modified code in such a way that it will only check the first cert in a chain.

People

  • Assignee:
    Guus der Kinderen
    Reporter:
    Guus der Kinderen
Vote (3)
Watch (3)

Dates

  • Created:
    Updated:
    Resolved: