[Operators] TLS, certificates, heartache, and pain.

Dave Cridland dave at cridland.net
Wed Oct 15 04:25:31 CDT 2008


On Wed Oct 15 09:51:06 2008, Norman Rasmussen wrote:
> On Wed, Oct 15, 2008 at 1:41 AM, Dave Cridland <dave at cridland.net>  
> wrote:
> 
> > Anyone got any idea why this is behaving so weirdly? Does anyone  
> have
> > logging they could use?
> > Any ideas, or even better logging data, gratefully received.
> 
> 
> BTW: It seems like your server isn't accepting incoming IPv6  
> connections
> (but happily makes outgoing ones).
> 
> 
Ah... Does from here, thanks, I'll take a look. Given it's making  
outgoing connections, I'm guessing I've inadvertantly firewalled  
something.

Trading logs (and mine are, I admit, seriously verbose):

10/15 09:33:35 xmppd    05979 (root    ) I-MBOX-Info new connection  
from ::ffff:
41.241.78.53
10/15 09:33:37 xmppd    05979 (root    ) D-MBOX-Auth closed  
authoritative s2s co
nnection to domain NA [::ffff:88.191.13.175]
10/15 09:33:39 xmppd    05979 (root    ) N-MBOX-Notice Doing a peer  
verification
10/15 09:33:39 xmppd    05979 (root    ) X-MBOX-Debug Suppressing  
unsupported pu
rpose error.
10/15 09:33:39 xmppd    05979 (root    ) X-MBOX-Debug SSL  
depth=0:emailAddress = hostmaster at darkskies.za.net, CN =  
darkskies.za.net, OU = Domain validated only, O = Norman Rasmussen, L  
= Cape Town, ST = Western Cape, C = ZA
10/15 09:33:39 xmppd    05979 (root    ) N-MBOX-Notice Doing a peer  
verification
10/15 09:33:39 xmppd    05979 (root    ) X-MBOX-Debug Suppressing  
unsupported pu
rpose error.
10/15 09:33:39 xmppd    05979 (root    ) X-MBOX-Debug SSL  
depth=0:emailAddress = hostmaster at darkskies.za.net, CN =  
darkskies.za.net, OU = Domain validated only, O = Norman Rasmussen, L  
= Cape Town, ST = Western Cape, C = ZA
10/15 09:33:39 xmppd    05979 (root    ) N-MBOX-Notice Doing a peer  
verification
10/15 09:33:39 xmppd    05979 (root    ) X-MBOX-Debug SSL  
depth=2:emailAddress = admin at startcom.org, CN = Free SSL  
Certification Authority, OU = CA Authority Dep., O = StartCom Ltd., L  
= Eilat, ST = Israel, C = IL
10/15 09:33:39 xmppd    05979 (root    ) N-MBOX-Notice Doing a peer  
verification
10/15 09:33:39 xmppd    05979 (root    ) X-MBOX-Debug SSL  
depth=1:emailAddress = certmaster at jabber.org, CN = StartCom Class 1  
Intermediate CA - Jabber Software Foundation, OU = Secure Certificate  
Signing, O = Jabber Software Foundation, ST = Colorado, C = US
10/15 09:33:39 xmppd    05979 (root    ) N-MBOX-Notice Doing a peer  
verification
10/15 09:33:39 xmppd    05979 (root    ) X-MBOX-Debug SSL  
depth=0:emailAddress = hostmaster at darkskies.za.net, CN =  
darkskies.za.net, OU = Domain validated only, O = Norman Rasmussen, L  
= Cape Town, ST = Western Cape, C = ZA
10/15 09:33:39 xmppd    05979 (root    ) I-MBOX-Info  
IP=::ffff:41.241.78.53 version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA  
bits=256/256 compression="(None)" certificate verified=YES
10/15 09:33:39 xmppd    05979 (root    ) N-MBOX-Notice TLS identity  
selected as darkskies.za.net (default)
10/15 09:33:41 xmppd    05979 (root    ) I-MBOX-Info new receiving  
connection to darkskies.za.net host darkflame.darkskies.za.net:5269
10/15 09:33:44 xmppd    05979 (root    ) N-MBOX-Notice Doing a peer  
verification
10/15 09:33:44 xmppd    05979 (root    ) X-MBOX-Debug SSL  
depth=2:emailAddress = admin at startcom.org, CN = Free SSL  
Certification Authority, OU = CA Authority Dep., O = StartCom Ltd., L  
= Eilat, ST = Israel, C = IL
10/15 09:33:44 xmppd    05979 (root    ) N-MBOX-Notice Doing a peer  
verification
10/15 09:33:44 xmppd    05979 (root    ) X-MBOX-Debug SSL  
depth=1:emailAddress = certmaster at jabber.org, CN = StartCom Class 1  
Intermediate CA - Jabber Software Foundation, OU = Secure Certificate  
Signing, O = Jabber Software Foundation, ST = Colorado, C = US
10/15 09:33:44 xmppd    05979 (root    ) N-MBOX-Notice Doing a peer  
verification
10/15 09:33:44 xmppd    05979 (root    ) X-MBOX-Debug SSL  
depth=0:emailAddress = hostmaster at darkskies.za.net, CN =  
darkskies.za.net, OU = Domain validated only, O = Norman Rasmussen, L  
= Cape Town, ST = Western Cape, C = ZA
10/15 09:33:45 xmppd    05979 (root    ) I-MBOX-Info  
IP=2001:470:8:19c:2c0:4fff:fe43:b628 version=TLSv1/SSLv3  
cipher=AES256-SHA bits=256/256 compression="(None)" certificate  
verified=YES
10/15 09:33:47 xmppd    05979 (root    ) I-MBOX-Info successful setup  
of a receiving db connection from dave.cridland.net to  
darkskies.za.net
10/15 09:33:47 xmppd    05979 (root    ) D-MBOX-Auth closed receiving  
s2s connection to domain darkskies.za.net  
[2001:470:8:19c:2c0:4fff:fe43:b628]
10/15 09:33:48 xmppd    05979 (root    ) I-MBOX-Info lookup  
initiating an orginating session from dave.cridland.net to  
darkskies.za.net
10/15 09:33:48 xmppd    05979 (root    ) I-MBOX-Info new originator  
connection to darkskies.za.net host darkflame.darkskies.za.net:5269
10/15 09:33:51 xmppd    05979 (root    ) N-MBOX-Notice Doing a peer  
verification
10/15 09:33:51 xmppd    05979 (root    ) X-MBOX-Debug SSL  
depth=2:emailAddress = admin at startcom.org, CN = Free SSL  
Certification Authority, OU = CA Authority Dep., O = StartCom Ltd., L  
= Eilat, ST = Israel, C = IL
10/15 09:33:51 xmppd    05979 (root    ) N-MBOX-Notice Doing a peer  
verification
10/15 09:33:51 xmppd    05979 (root    ) X-MBOX-Debug SSL  
depth=1:emailAddress = certmaster at jabber.org, CN = StartCom Class 1  
Intermediate CA - Jabber Software Foundation, OU = Secure Certificate  
Signing, O = Jabber Software Foundation, ST = Colorado, C = US
10/15 09:33:51 xmppd    05979 (root    ) N-MBOX-Notice Doing a peer  
verification
10/15 09:33:51 xmppd    05979 (root    ) X-MBOX-Debug SSL  
depth=0:emailAddress = hostmaster at darkskies.za.net, CN =  
darkskies.za.net, OU = Domain validated only, O = Norman Rasmussen, L  
= Cape Town, ST = Western Cape, C = ZA
10/15 09:33:52 xmppd    05979 (root    ) I-MBOX-Info  
IP=2001:470:8:19c:2c0:4fff:fe43:b628 version=TLSv1/SSLv3  
cipher=AES256-SHA bits=256/256 compression="(None)" certificate  
verified=YES
10/15 09:33:54 xmppd    05979 (root    ) I-MBOX-Info successful setup  
originating db connection from dave.cridland.net to darkskies.za.net
10/15 09:33:54 xmppd    05979 (root    ) N-MBOX-Notice Peer  
darkskies.za.net authenticates via TLS.

So we're both using dialback, which is to be expected, but I'm  
clearly verifying your certificate and successfully extracting a  
authorization identifier from it. My certificate seems valid to at  
least proxy.sapo.pt and amessage.de:

10/15 00:39:48 xmppd    05979 (root    ) I-MBOX-Info Successfully  
authenticated as dave.cridland.net to amessage.de

And jabber.org - sometimes - appears to use my offer of EXTERNAL:

10/15 00:46:47 xmppd    05979 (root    ) N-MBOX-Notice TLS identity  
selected as jabber.org (default)
10/15 00:46:47 xmppd    05979 (root    ) N-MBOX-Notice S2S TLS auth  
with explicit identity jabber.org

Does your server always do dialback, or does it sometimes do  
TLS-based authentication? Does it do it with jabber.org? Does anyone?  
Ever?

I know that TLS based authentication works fine between myself and at  
least one other Isode M-Link deployment with a valid certificate, but  
whilst I'd be happy with a solution of "deploy Isode M-Link  
everywhere", I'm not convinced that's a practical proposition. ;-)

> other than that, you could use my proxy-xmpp-tls script [1] to test
> connections to your server with openssl
> 
> [1] www.darkskies.za.net/~norman/scripts/proxy-xmpp-tls

Ta, I'll have a look.

Dave.
-- 
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at dave.cridland.net
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade


More information about the Operators mailing list