[ejabberd] SSL/TLS with ICA

Jonathan Siegle jsiegle at psu.edu
Fri Dec 15 16:51:31 MSK 2006


Jonathan Siegle said the following on 12/14/06 3:39 PM:
> Albert Holm said the following on 12/14/06 12:11 PM:
>> Thursday 14 December 2006 17:52 skrev Peter Saint-Andre:
>>> Philipp Hancke of the PSYC project told me that you can probably solve
>>> this problem by using SSL_CTX_use_certificate_chain_file instead of
>>> SSL_use_certificate_file when calling OpenSSL.
>>
>> Apparently it is not quite as easy. It was attempted about 18 months 
>> ago and documented at <http://www.jabber.ru/bugzilla/show_bug.cgi?id=46>.
>>
> Oh geesh. Is that it? Well I'll get my linux box fired up and test this 
> patch. That second error they get implies someone is trying to talk to 
> an ssl port in plain text. Now reading my OpenSSL Oreilly book, the 
> auther claims that you must have the entire chain in the file. This 
> doesn't seem right, but it could be from the way it was presented to me. 
> The server software must pass the whole chain except the root. So 
> perhaps openssl is just verifying a root exists or something.
> 

Notes:
I grabbed the latest SVN this morning. I applied the patch. I put the 
entire chain(root/ica/cert/key) into the certfile. I then ran the 
following command:


$ openssl s_client -CAfile usherchain -connect lexicon.aset.psu.edu:5223
CONNECTED(00000005)
depth=2 /C=US/O=US Higher Education Root/OU=CA1/CN=USHER CA1 v1
verify return:1
depth=1 /C=US/ST=Pennsylvania/L=University Park/O=The Pennsylvania State 
Univers
ity/OU=Information Technology Services/CN=SASL-CA
verify return:1
depth=0 /CN=lexicon.aset.psu.edu
verify return:1
---
Certificate chain
  0 s:/CN=lexicon.aset.psu.edu
    i:/C=US/ST=Pennsylvania/L=University Park/O=The Pennsylvania State 
University
/OU=Information Technology Services/CN=SASL-CA
  1 s:/C=US/ST=Pennsylvania/L=University Park/O=The Pennsylvania State 
University
/OU=Information Technology Services/CN=SASL-CA
    i:/C=US/O=US Higher Education Root/OU=CA1/CN=USHER CA1 v1
  2 s:/C=US/O=US Higher Education Root/OU=CA1/CN=USHER CA1 v1
    i:/C=US/O=US Higher Education Root/OU=CA1/CN=USHER CA1 v1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDBzCCAe+gAwIBAgIQHuQflow6Edur0QARJZwwgjANBgkqhkiG9w0BAQUFADCB
pjELMAkGA1UEBhMCVVMxFTATBgNVBAgTDFBlbm5zeWx2YW5pYTEYMBYGA1UEBxMP
VW5pdmVyc2l0eSBQYXJrMSowKAYDVQQKEyFUaGUgUGVubnN5bHZhbmlhIFN0YXRl
IFVuaXZlcnNpdHkxKDAmBgNVBAsTH0luZm9ybWF0aW9uIFRlY2hub2xvZ3kgU2Vy
dmljZXMxEDAOBgNVBAMTB1NBU0wtQ0EwHhcNMDYxMjE1MTI0MDE5WhcNMDcxMjE1
MTI0MDE5WjAfMR0wGwYDVQQDExRsZXhpY29uLmFzZXQucHN1LmVkdTCBnzANBgkq
hkiG9w0BAQEFAAOBjQAwgYkCgYEAlBaPO4E9RGBpkbeadc19GKrHhxn3QT2ynZIk
6KgAtOCw0jiBnrtLeWHe+OM5K9vELzMrXThCuVNu8U3RpxtoMhgdvGZ/Nvp2UTMP
NMxhBN+zLFO0hgfUZyLoE715olynMXiZTRNDCKePyMyiUlTr0j/6CLAwOR1LyPOS
LFs+xx8CAwEAAaM7MDkwDwYDVR0TAQH/BAUwAwEBADAOBgNVHQ8BAf8EBAMCALAw
FgYDVR0lAQH/BAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADggEBAGwa1Quk
5e6VHcDHlnm4o2crCoT7jtdhh253TAwtpx/3cyZLY5nhTC9DPejFA5Ne6nhnb0Rn
hRPzKY/hhyPVYPqwyXlWWfye1K4saXkQh1VogipRuQ4z6w+moOaZm/XuFjTSDEU3
HFHH+lSN/WSyYr76FAEFqjXc/cGG8bJm5jk264ljaHNl8XtT5ANyY0es+5Wzk99B
dbszXxjJdh2d2KZmiFEk/eKNg6/+79GbC9wQc0MkApUHxl/uggpOlN14MvbWkbut
fGXkstvLxbsgbRY/rIk1lYm/EmPSwNoVgLFcpCTYuJ4dIBp0vFpOXwG4LB9KRlAN
DAPC/nEbsSF3RI8=
-----END CERTIFICATE-----
subject=/CN=lexicon.aset.psu.edu
issuer=/C=US/ST=Pennsylvania/L=University Park/O=The Pennsylvania State 
Universi
ty/OU=Information Technology Services/CN=SASL-CA
---
No client certificate CA names sent
---
SSL handshake has read 3435 bytes and written 328 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 1024 bit
SSL-Session:
     Protocol  : TLSv1
     Cipher    : AES256-SHA
     Session-ID: 
DFF7C6554FC96A49BA94A25A452479CD3B6D15A832CE95ADDA652F6B1001DE59
     Session-ID-ctx:
     Master-Key: 
975C8E745721E446214C79D0230326C013AD38435A25F36D77916712B5DA9DF7
DA010B3E13C917E1CB7D26CCABC773D9
     Key-Arg   : None
     Start Time: 1166190558
     Timeout   : 300 (sec)
     Verify return code: 0 (ok)
---


Is it ready for production? I don't know. I'm going to let it run for a 
week and try to do normal operations to it and see if I can get some errors.

-Jonathan



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3357 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.jabber.ru/pipermail/ejabberd/attachments/20061215/68572e9e/smime.bin


More information about the ejabberd mailing list