[Operators] TLS, certificates, heartache, and pain.
Dave Cridland
dave at cridland.net
Tue Oct 14 18:41:22 CDT 2008
So today, out of probably hundreds of connections, one - aside from
other Isode M-Link deployments - offered my server SASL EXTERNAL:
10/14 23:47:50 xmppd 05979 (root ) I-MBOX-Info Successfully
authenticated as dave.cridland.net to proxy.sapo.pt
So either this means my certificate fails to validate, but
proxy.sapo.pt, alone of all of the Sapo domains, validates it anyway,
or else my certificate should validate, but I'm doing something
wrong, or everyone else is.
Ordinarily, this'd be a matter for seeking advice from those nice
folk across the hall, in jdev, but I figured that somebody,
somewhere, out of all of you must have a server that actually logs a
reason why a remote certificate isn't trusted.
Incidentally, the other direction - and I promise not to rant about
why servers only use EXTERNAL when they validate *my* certificate -
curiously has more success:
/var/log/isode/mlink-event.2008-10-14-00-00.log:10/14 18:28:52 xmppd
14416 (root ) N-MBOX-Notice S2S TLS auth with explicit
identity jabber.org
/var/log/isode/mlink-event.2008-10-14-00-00.log:10/14 19:08:05 xmppd
14416 (root ) N-MBOX-Notice S2S TLS auth with explicit
identity im.flosoft.biz
/var/log/isode/mlink-event.2008-10-14-00-00.log:10/14 19:55:08 xmppd
14416 (root ) N-MBOX-Notice S2S TLS auth with explicit
identity jabber.org
/var/log/isode/mlink-event.2008-10-14-00-00.log:10/14 20:29:53 xmppd
31663 (root ) N-MBOX-Notice S2S TLS auth with explicit
identity jabber.org
/var/log/isode/mlink-event.2008-10-14-00-00.log:10/14 21:04:19 xmppd
31663 (root ) N-MBOX-Notice S2S TLS auth with explicit
identity jabber.org
/var/log/isode/mlink-event.2008-10-14-00-00.log:10/14 21:36:11 xmppd
31663 (root ) N-MBOX-Notice S2S TLS auth with explicit
identity jabber.org
/var/log/isode/mlink-event.2008-10-14-00-00.log:10/14 21:38:58 xmppd
31663 (root ) N-MBOX-Notice S2S TLS auth with explicit
identity im.flosoft.biz
/var/log/isode/mlink-event.2008-10-14-00-00.log:10/14 22:37:29 xmppd
31663 (root ) N-MBOX-Notice S2S TLS auth with explicit
identity jabber.org
/var/log/isode/mlink-event.2008-10-14-00-00.log:10/14 23:33:27 xmppd
31663 (root ) N-MBOX-Notice S2S TLS auth with explicit
identity jabber.org
Anyone got any idea why this is behaving so weirdly? Does anyone have
logging they could use?
FWIW, it's possible that sometimes servers accept the EXTERNAL offer
even when they can't validate the certificate, but why this should be
only sometimes is beyond me.
The server is dave.cridland.net in case that's not clear. The same
certificate is also used on imap and imaps, but not xmpps.
Any ideas, or even better logging data, gratefully received.
Dave.
--
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at dave.cridland.net
- acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
- http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
More information about the Operators
mailing list