[Operators] TLS, certificates, heartache, and pain.

Dave Cridland dave at cridland.net
Tue Oct 14 18:41:22 CDT 2008 

So today, out of probably hundreds of connections, one - aside from  
other Isode M-Link deployments - offered my server SASL EXTERNAL:

10/14 23:47:50 xmppd    05979 (root    ) I-MBOX-Info Successfully   
authenticated as dave.cridland.net to proxy.sapo.pt

So either this means my certificate fails to validate, but  
proxy.sapo.pt, alone of all of the Sapo domains, validates it anyway,  
or else my certificate should validate, but I'm doing  something  
wrong, or everyone else is.

Ordinarily, this'd be a matter for seeking advice from those nice  
folk across the hall, in jdev, but I figured that somebody,  
somewhere, out of all of you must have a server that actually logs a   
reason why a remote certificate isn't trusted.

Incidentally, the other direction - and I promise not to rant about  
why servers only use EXTERNAL when they validate *my* certificate -  
curiously has more success:

/var/log/isode/mlink-event.2008-10-14-00-00.log:10/14 18:28:52 xmppd   
    14416 (root    ) N-MBOX-Notice S2S TLS auth with explicit  
identity  jabber.org
/var/log/isode/mlink-event.2008-10-14-00-00.log:10/14 19:08:05 xmppd   
    14416 (root    ) N-MBOX-Notice S2S TLS auth with explicit  
identity  im.flosoft.biz
/var/log/isode/mlink-event.2008-10-14-00-00.log:10/14 19:55:08 xmppd   
    14416 (root    ) N-MBOX-Notice S2S TLS auth with explicit  
identity  jabber.org
/var/log/isode/mlink-event.2008-10-14-00-00.log:10/14 20:29:53 xmppd   
    31663 (root    ) N-MBOX-Notice S2S TLS auth with explicit  
identity  jabber.org
/var/log/isode/mlink-event.2008-10-14-00-00.log:10/14 21:04:19 xmppd   
    31663 (root    ) N-MBOX-Notice S2S TLS auth with explicit  
identity  jabber.org
/var/log/isode/mlink-event.2008-10-14-00-00.log:10/14 21:36:11 xmppd   
    31663 (root    ) N-MBOX-Notice S2S TLS auth with explicit  
identity  jabber.org
/var/log/isode/mlink-event.2008-10-14-00-00.log:10/14 21:38:58 xmppd   
    31663 (root    ) N-MBOX-Notice S2S TLS auth with explicit  
identity  im.flosoft.biz
/var/log/isode/mlink-event.2008-10-14-00-00.log:10/14 22:37:29 xmppd   
    31663 (root    ) N-MBOX-Notice S2S TLS auth with explicit  
identity  jabber.org
/var/log/isode/mlink-event.2008-10-14-00-00.log:10/14 23:33:27 xmppd   
    31663 (root    ) N-MBOX-Notice S2S TLS auth with explicit  
identity  jabber.org

Anyone got any idea why this is behaving so weirdly? Does anyone have  
logging they could use?

FWIW, it's possible that sometimes servers accept the EXTERNAL offer  
even when they can't validate the certificate, but why this should be  
  only sometimes is beyond me.

The server is dave.cridland.net in case that's not clear. The same  
certificate is also used on imap and imaps, but not xmpps.

Any ideas, or even better logging data, gratefully received.

Dave.
-- 
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at dave.cridland.net
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade

More information about the Operators mailing list