[ejabberd] SSL/TLS with ICA

Peter Saint-Andre stpeter at jabber.org
Thu Dec 14 19:52:09 MSK 2006


Jaco Kroon (of TLUG in South Africa) and I have been looking into 
ejabberd's support for intermediate certification authorities, such 
as the one we just launched at https://www.xmpp.net/

Unfortunately, it seems that ejabberd does not correctly present the 
full certificate chain using the new intermediate CA. For example, 
run this command:

openssl s_client -connect jabber.org:5223

or

openssl s_client -connect jabber.org:5223 -CAfile /path/to/ca.crt

... where ca.cert is the StartCom root certificate:

http://cert.startcom.org/ca.crt

You will receive an error because ejabberd is not presenting the entire
certificate chain. SSL-aware Jabber clients will also show an error and 
refuse to connect.

Jaco is running ejabberd 1.1.2 and jabber.org is running 1.1.1, both
versions seem to display this behavior.

Philipp Hancke of the PSYC project told me that you can probably solve 
this problem by using SSL_CTX_use_certificate_chain_file instead of 
SSL_use_certificate_file when calling OpenSSL. YMMV.

Thanks!

Peter

-- 
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.shtml



More information about the ejabberd mailing list