[Juser] Maddening with SSL certificates

Peter Saint-Andre stpeter at jabber.org
Tue May 1 11:19:12 CDT 2007


Jonathan Siegle wrote:
> Hello Matthias,
> 
> Matthias Wimmer said the following on 5/1/07 11:58 AM:
>> Hi Peter!
>>
>> Peter Saint-Andre schrieb:
>>> certificate from the XMPP ICA). It is true that there was a bug in
>>> ejabberd (not presenting the entire certificate chain) but we installed
>>> a patch on 2007-03-16 and as far as I know the jabber.org server is
>>> behaving properly now.
>>
>> I have not checked for port 5222+STARTTLS, but at least for port 5223
>> jabber.org is presenting the full certificate chain including the
>> intermediate certificate as well as the root certificate.
>>
>>
>> Matthias
>>
> 
>     Thanks for noting that. I couldn't quite understand why it was 
> telling me that there is a "self signed certificate in certificate 
> chain". Duh! I'll look at fixing that right now..

???

I see this (sorry for the big paste):

******

$ openssl s_client -connect jabber.org:5223 -CAfile ca.crt
CONNECTED(00000003)
depth=2 /C=IL/ST=Israel/L=Eilat/O=StartCom Ltd./OU=CA Authority 
Dep./CN=Free SSL Certification Authority/emailAddress=admin at startcom.org
verify return:1
depth=1 /C=US/ST=Colorado/O=Jabber Software Foundation/OU=Secure 
Certificate Signing/CN=StartCom Class 1 Intermediate CA - Jabber 
Software Foundation/emailAddress=certmaster at jabber.org
verify return:1
depth=0 /C=US/ST=Colorado/L=Denver/O=Peter Saint-andre/OU=Domain 
validated 
only/CN=*.jabber.org/CN=jabber.org/emailAddress=hostmaster at jabber.org
verify return:1
---
Certificate chain
  0 s:/C=US/ST=Colorado/L=Denver/O=Peter Saint-andre/OU=Domain validated 
only/CN=*.jabber.org/CN=jabber.org/emailAddress=hostmaster at jabber.org
    i:/C=US/ST=Colorado/O=Jabber Software Foundation/OU=Secure 
Certificate Signing/CN=StartCom Class 1 Intermediate CA - Jabber 
Software Foundation/emailAddress=certmaster at jabber.org
  1 s:/C=US/ST=Colorado/O=Jabber Software Foundation/OU=Secure 
Certificate Signing/CN=StartCom Class 1 Intermediate CA - Jabber 
Software Foundation/emailAddress=certmaster at jabber.org
    i:/C=IL/ST=Israel/L=Eilat/O=StartCom Ltd./OU=CA Authority 
Dep./CN=Free SSL Certification Authority/emailAddress=admin at startcom.org
  2 s:/C=IL/ST=Israel/L=Eilat/O=StartCom Ltd./OU=CA Authority 
Dep./CN=Free SSL Certification Authority/emailAddress=admin at startcom.org
    i:/C=IL/ST=Israel/L=Eilat/O=StartCom Ltd./OU=CA Authority 
Dep./CN=Free SSL Certification Authority/emailAddress=admin at startcom.org
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIIBDCCBuygAwIBAgIBZDANBgkqhkiG9w0BAQUFADCB2DELMAkGA1UEBhMCVVMx
ETAPBgNVBAgMCENvbG9yYWRvMSMwIQYDVQQKDBpKYWJiZXIgU29mdHdhcmUgRm91
bmRhdGlvbjEjMCEGA1UECwwaU2VjdXJlIENlcnRpZmljYXRlIFNpZ25pbmcxRjBE
BgNVBAMMPVN0YXJ0Q29tIENsYXNzIDEgSW50ZXJtZWRpYXRlIENBIC0gSmFiYmVy
IFNvZnR3YXJlIEZvdW5kYXRpb24xJDAiBgkqhkiG9w0BCQEWFWNlcnRtYXN0ZXJA
amFiYmVyLm9yZzAeFw0wNjEyMjIxNzQyNTRaFw0wNzEyMjIxNzQyNTRaMIG/MQsw
CQYDVQQGEwJVUzERMA8GA1UECBMIQ29sb3JhZG8xDzANBgNVBAcTBkRlbnZlcjEa
MBgGA1UEChMRUGV0ZXIgU2FpbnQtYW5kcmUxHjAcBgNVBAsTFURvbWFpbiB2YWxp
ZGF0ZWQgb25seTEVMBMGA1UEAxQMKi5qYWJiZXIub3JnMRMwEQYDVQQDEwpqYWJi
ZXIub3JnMSQwIgYJKoZIhvcNAQkBFhVob3N0bWFzdGVyQGphYmJlci5vcmcwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4HnLf22bpxa7cvVhANL1jvy9B
mrcpuPh67P2iitSnBd6d1snZ0MN090WEFO8Z3r2lkV9+hX2+tT0JO9reGcuZjWdv
+ppPD77d7W0A/JA7emGQcbOqWSFVzbLCdD6OXdMpKqBC7MIipv/8vYhdiK+NHTo8
JbZ3cKvGoYc0AClfn6SAnQyd7+yizJWGGXPTRKZ/Ce5ULDC0n73OC1JIBfVbeyvK
QU0J+r08qoSMm3W6HOS4/HRi+BQZOLCtnJ6BOKvA0Sy+Z50OU42JB2Y+ZBa0BzQp
YG5RmzoSYm+BQwVkH0+8aiyPZhJEAxaCmutZNl/HFAclZ/FXo9DhqMhfBP0zAgMB
AAGjggPuMIID6jAMBgNVHRMEBTADAgEAMAsGA1UdDwQEAwIDqDA0BgNVHSUELTAr
BggrBgEFBQcDAgYIKwYBBQUHAwEGCisGAQQBgjcKAwMGCWCGSAGG+EIEATAdBgNV
HQ4EFgQUqD6kB90kPYtOOGs61xVYOBR/S7Ewgd0GA1UdIwSB1TCB0oAUe47EZ9BG
IRcR/6F6QnWf6sSrcuShgbakgbMwgbAxCzAJBgNVBAYTAklMMQ8wDQYDVQQIEwZJ
c3JhZWwxDjAMBgNVBAcTBUVpbGF0MRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMRow
GAYDVQQLExFDQSBBdXRob3JpdHkgRGVwLjEpMCcGA1UEAxMgRnJlZSBTU0wgQ2Vy
dGlmaWNhdGlvbiBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEmFkbWluQHN0YXJ0
Y29tLm9yZ4IBFDA9BgNVHREENjA0oBgGCCsGAQUFBwgFoAwMCmphYmJlci5vcmeC
CmphYmJlci5vcmeCDCouamFiYmVyLm9yZzAgBgNVHRIEGTAXgRVjZXJ0bWFzdGVy
QGphYmJlci5vcmcwYgYDVR0fBFswWTAroCmgJ4YlaHR0cDovL2NlcnQuc3RhcnRj
b20ub3JnL3htcHAtY3JsLmNybDAqoCigJoYkaHR0cDovL2NybC5zdGFydGNvbS5v
cmcveG1wcC1jcmwuY3JsMIGEBggrBgEFBQcBAQR4MHYwNwYIKwYBBQUHMAGGK2h0
dHA6Ly9vY3NwLnN0YXJ0Y29tLm9yZy9zdWIvY2xhc3MxL3htcHAvY2EwOwYIKwYB
BQUHMAKGL2h0dHA6Ly9jZXJ0LnN0YXJ0Y29tLm9yZy9zdWIuY2xhc3MxLnhtcHAu
Y2EuY3J0MIIBSgYDVR0gBIIBQTCCAT0wggE5BgsrBgEEAYG1NwEBAzCCASgwNQYI
KwYBBQUHAgEWKWh0dHA6Ly9jZXJ0LnN0YXJ0Y29tLm9yZy9pbnRlcm1lZGlhdGUu
cGRmMC8GCCsGAQUFBwIBFiNodHRwOi8vY2VydC5zdGFydGNvbS5vcmcvcG9saWN5
LnBkZjCBvQYIKwYBBQUHAgIwgbAwFBYNU3RhcnRDb20gTHRkLjADAgEBGoGXTGlt
aXRlZCBMaWFiaWxpdHksIHJlYWQgdGhlIHNlY3Rpb24gKkxlZ2FsIExpbWl0YXRp
b25zKiBvZiB0aGUgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgUG9s
aWN5IGF2YWlsYWJsZSBhdCBodHRwOi8vY2VydC5zdGFydGNvbS5vcmcvcG9saWN5
LnBkZjANBgkqhkiG9w0BAQUFAAOCAQEATTDgPqGeHzzlwTvFxLzcsawaDPmyS1Rs
owPaFE+IQOxlfGZf/5WE0aPuQ5wL0QkIcJFshL4/5kjY0shA0Dfcty2VT+3pl8zu
IxTUcy6ciM/sknqc8OH/vfIStdeN8jpqKtDGWRsI7jDVMZEd6RuNqSYIw3FfeIY+
DkTLG8wDi/wdfJIfDOL+EbLwC9mcd6Z8AQpf3EVXZfVGKK64velzZrsyrYQHKJoZ
KrKcw+tNjcNsnXiq9KwZyTkoSdXruBxCg7V/mtCilsVwZ8op/Q1hD2F3gCQgjaVa
xNrL8L04wNaZizrwu3VGw073kyWTo9TnprpLuRjnURu/ou//ru94Sg==
-----END CERTIFICATE-----
subject=/C=US/ST=Colorado/L=Denver/O=Peter Saint-andre/OU=Domain 
validated 
only/CN=*.jabber.org/CN=jabber.org/emailAddress=hostmaster at jabber.org
issuer=/C=US/ST=Colorado/O=Jabber Software Foundation/OU=Secure 
Certificate Signing/CN=StartCom Class 1 Intermediate CA - Jabber 
Software Foundation/emailAddress=certmaster at jabber.org
---
No client certificate CA names sent
---
SSL handshake has read 5335 bytes and written 480 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
SSL-Session:
     Protocol  : TLSv1
     Cipher    : AES256-SHA
     Session-ID: 
38D9C8DD536AA09E8D672E73E6D739E5732147D13CFB2A1D5C038143523BF652
     Session-ID-ctx:
     Master-Key: 
0C52BE996D8CEA63AEFBE539EC3404AAF244C9F57F5000F01A06D26C7EAF3AE03BD46361BCB683BA152703D8F71B5326
     Key-Arg   : None
     Start Time: 1178036272
     Timeout   : 300 (sec)
     Verify return code: 0 (ok)
---

******

So all seems well, no?

Peter

-- 
Peter Saint-Andre
XMPP Standards Foundation
http://www.xmpp.org/xsf/people/stpeter.shtml

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7358 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/juser/attachments/20070501/1cd57ffb/attachment-0001.bin>


More information about the JUser mailing list