[Operators] TLS, certificates, heartache, and pain.
Dave Cridland
dave at cridland.net
Wed Oct 15 04:25:31 CDT 2008
On Wed Oct 15 09:51:06 2008, Norman Rasmussen wrote:
> On Wed, Oct 15, 2008 at 1:41 AM, Dave Cridland <dave at cridland.net>
> wrote:
>
> > Anyone got any idea why this is behaving so weirdly? Does anyone
> have
> > logging they could use?
> > Any ideas, or even better logging data, gratefully received.
>
>
> BTW: It seems like your server isn't accepting incoming IPv6
> connections
> (but happily makes outgoing ones).
>
>
Ah... Does from here, thanks, I'll take a look. Given it's making
outgoing connections, I'm guessing I've inadvertantly firewalled
something.
Trading logs (and mine are, I admit, seriously verbose):
10/15 09:33:35 xmppd 05979 (root ) I-MBOX-Info new connection
from ::ffff:
41.241.78.53
10/15 09:33:37 xmppd 05979 (root ) D-MBOX-Auth closed
authoritative s2s co
nnection to domain NA [::ffff:88.191.13.175]
10/15 09:33:39 xmppd 05979 (root ) N-MBOX-Notice Doing a peer
verification
10/15 09:33:39 xmppd 05979 (root ) X-MBOX-Debug Suppressing
unsupported pu
rpose error.
10/15 09:33:39 xmppd 05979 (root ) X-MBOX-Debug SSL
depth=0:emailAddress = hostmaster at darkskies.za.net, CN =
darkskies.za.net, OU = Domain validated only, O = Norman Rasmussen, L
= Cape Town, ST = Western Cape, C = ZA
10/15 09:33:39 xmppd 05979 (root ) N-MBOX-Notice Doing a peer
verification
10/15 09:33:39 xmppd 05979 (root ) X-MBOX-Debug Suppressing
unsupported pu
rpose error.
10/15 09:33:39 xmppd 05979 (root ) X-MBOX-Debug SSL
depth=0:emailAddress = hostmaster at darkskies.za.net, CN =
darkskies.za.net, OU = Domain validated only, O = Norman Rasmussen, L
= Cape Town, ST = Western Cape, C = ZA
10/15 09:33:39 xmppd 05979 (root ) N-MBOX-Notice Doing a peer
verification
10/15 09:33:39 xmppd 05979 (root ) X-MBOX-Debug SSL
depth=2:emailAddress = admin at startcom.org, CN = Free SSL
Certification Authority, OU = CA Authority Dep., O = StartCom Ltd., L
= Eilat, ST = Israel, C = IL
10/15 09:33:39 xmppd 05979 (root ) N-MBOX-Notice Doing a peer
verification
10/15 09:33:39 xmppd 05979 (root ) X-MBOX-Debug SSL
depth=1:emailAddress = certmaster at jabber.org, CN = StartCom Class 1
Intermediate CA - Jabber Software Foundation, OU = Secure Certificate
Signing, O = Jabber Software Foundation, ST = Colorado, C = US
10/15 09:33:39 xmppd 05979 (root ) N-MBOX-Notice Doing a peer
verification
10/15 09:33:39 xmppd 05979 (root ) X-MBOX-Debug SSL
depth=0:emailAddress = hostmaster at darkskies.za.net, CN =
darkskies.za.net, OU = Domain validated only, O = Norman Rasmussen, L
= Cape Town, ST = Western Cape, C = ZA
10/15 09:33:39 xmppd 05979 (root ) I-MBOX-Info
IP=::ffff:41.241.78.53 version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA
bits=256/256 compression="(None)" certificate verified=YES
10/15 09:33:39 xmppd 05979 (root ) N-MBOX-Notice TLS identity
selected as darkskies.za.net (default)
10/15 09:33:41 xmppd 05979 (root ) I-MBOX-Info new receiving
connection to darkskies.za.net host darkflame.darkskies.za.net:5269
10/15 09:33:44 xmppd 05979 (root ) N-MBOX-Notice Doing a peer
verification
10/15 09:33:44 xmppd 05979 (root ) X-MBOX-Debug SSL
depth=2:emailAddress = admin at startcom.org, CN = Free SSL
Certification Authority, OU = CA Authority Dep., O = StartCom Ltd., L
= Eilat, ST = Israel, C = IL
10/15 09:33:44 xmppd 05979 (root ) N-MBOX-Notice Doing a peer
verification
10/15 09:33:44 xmppd 05979 (root ) X-MBOX-Debug SSL
depth=1:emailAddress = certmaster at jabber.org, CN = StartCom Class 1
Intermediate CA - Jabber Software Foundation, OU = Secure Certificate
Signing, O = Jabber Software Foundation, ST = Colorado, C = US
10/15 09:33:44 xmppd 05979 (root ) N-MBOX-Notice Doing a peer
verification
10/15 09:33:44 xmppd 05979 (root ) X-MBOX-Debug SSL
depth=0:emailAddress = hostmaster at darkskies.za.net, CN =
darkskies.za.net, OU = Domain validated only, O = Norman Rasmussen, L
= Cape Town, ST = Western Cape, C = ZA
10/15 09:33:45 xmppd 05979 (root ) I-MBOX-Info
IP=2001:470:8:19c:2c0:4fff:fe43:b628 version=TLSv1/SSLv3
cipher=AES256-SHA bits=256/256 compression="(None)" certificate
verified=YES
10/15 09:33:47 xmppd 05979 (root ) I-MBOX-Info successful setup
of a receiving db connection from dave.cridland.net to
darkskies.za.net
10/15 09:33:47 xmppd 05979 (root ) D-MBOX-Auth closed receiving
s2s connection to domain darkskies.za.net
[2001:470:8:19c:2c0:4fff:fe43:b628]
10/15 09:33:48 xmppd 05979 (root ) I-MBOX-Info lookup
initiating an orginating session from dave.cridland.net to
darkskies.za.net
10/15 09:33:48 xmppd 05979 (root ) I-MBOX-Info new originator
connection to darkskies.za.net host darkflame.darkskies.za.net:5269
10/15 09:33:51 xmppd 05979 (root ) N-MBOX-Notice Doing a peer
verification
10/15 09:33:51 xmppd 05979 (root ) X-MBOX-Debug SSL
depth=2:emailAddress = admin at startcom.org, CN = Free SSL
Certification Authority, OU = CA Authority Dep., O = StartCom Ltd., L
= Eilat, ST = Israel, C = IL
10/15 09:33:51 xmppd 05979 (root ) N-MBOX-Notice Doing a peer
verification
10/15 09:33:51 xmppd 05979 (root ) X-MBOX-Debug SSL
depth=1:emailAddress = certmaster at jabber.org, CN = StartCom Class 1
Intermediate CA - Jabber Software Foundation, OU = Secure Certificate
Signing, O = Jabber Software Foundation, ST = Colorado, C = US
10/15 09:33:51 xmppd 05979 (root ) N-MBOX-Notice Doing a peer
verification
10/15 09:33:51 xmppd 05979 (root ) X-MBOX-Debug SSL
depth=0:emailAddress = hostmaster at darkskies.za.net, CN =
darkskies.za.net, OU = Domain validated only, O = Norman Rasmussen, L
= Cape Town, ST = Western Cape, C = ZA
10/15 09:33:52 xmppd 05979 (root ) I-MBOX-Info
IP=2001:470:8:19c:2c0:4fff:fe43:b628 version=TLSv1/SSLv3
cipher=AES256-SHA bits=256/256 compression="(None)" certificate
verified=YES
10/15 09:33:54 xmppd 05979 (root ) I-MBOX-Info successful setup
originating db connection from dave.cridland.net to darkskies.za.net
10/15 09:33:54 xmppd 05979 (root ) N-MBOX-Notice Peer
darkskies.za.net authenticates via TLS.
So we're both using dialback, which is to be expected, but I'm
clearly verifying your certificate and successfully extracting a
authorization identifier from it. My certificate seems valid to at
least proxy.sapo.pt and amessage.de:
10/15 00:39:48 xmppd 05979 (root ) I-MBOX-Info Successfully
authenticated as dave.cridland.net to amessage.de
And jabber.org - sometimes - appears to use my offer of EXTERNAL:
10/15 00:46:47 xmppd 05979 (root ) N-MBOX-Notice TLS identity
selected as jabber.org (default)
10/15 00:46:47 xmppd 05979 (root ) N-MBOX-Notice S2S TLS auth
with explicit identity jabber.org
Does your server always do dialback, or does it sometimes do
TLS-based authentication? Does it do it with jabber.org? Does anyone?
Ever?
I know that TLS based authentication works fine between myself and at
least one other Isode M-Link deployment with a valid certificate, but
whilst I'd be happy with a solution of "deploy Isode M-Link
everywhere", I'm not convinced that's a practical proposition. ;-)
> other than that, you could use my proxy-xmpp-tls script [1] to test
> connections to your server with openssl
>
> [1] www.darkskies.za.net/~norman/scripts/proxy-xmpp-tls
Ta, I'll have a look.
Dave.
--
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at dave.cridland.net
- acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
- http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
More information about the Operators
mailing list