[Operators] TLS, certificates, heartache, and pain.

Dave Cridland dave at cridland.net
Wed Oct 15 05:32:51 CDT 2008

On Wed Oct 15 11:01:28 2008, Norman Rasmussen wrote:
> On Wed, Oct 15, 2008 at 11:25 AM, Dave Cridland <dave at cridland.net>  
> wrote:
> > Does your server always do dialback, or does it sometimes do  
> TLS-based
> > authentication? Does it do it with jabber.org? Does anyone? Ever?
> >
>  I think so, there a bug with the version of jabberd2 that I'm  
> running, that
> it never offers a client cert, so currently it _has_ to dialback.

Are you sure?

You're offering *me* a client cert, certainly, and I'm signalling  
it's good.

 From my telemetry logging:

(9:33:36) Recv (51)
<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>

(9:33:36) Send (50)
<proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>

(9:33:39) Recv (201)
<?xml version='1.0'?><stream:stream  
xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:server'  
to='dave.cridland.net' from='darkskies.za.net' version='1.0'  

(9:33:39) Send (493)
<?xml version='1.0'?><stream:stream xmlns='jabber:server'  
xmlns:stream='http://etherx.jabber.org/streams' to='darkskies.za.net'  
from='dave.cridland.net' id='af4be607150d2781'  

Note that I'm offering EXTERNAL. You then give me a <db:result/>, so  
it looks like jabberd2 is simply being weird. Presumably it can't  
verify my certificate, although why it then chooses to authenticate  
itself in a different way I've no idea, since that makes no sense to  
me. :-)

In the logging, I see an xmpp.net certificate, supplied on your  
initial connection, from which I select darkskies.za.net as a  
candidate default. 
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at dave.cridland.net
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade

More information about the Operators mailing list