[ejabberd] Re: SSL/TLS with ICA

Jonathan Siegle jsiegle at psu.edu
Wed Dec 20 15:03:37 MSK 2006


Jaco Kroon wrote:
> Hi,
> 

> 
> So permitting the only certificate in the file usherchain was the root CA
> file then the given s_client session in the previous post is correct.  The
> patch looks good, except I'd recommend to also update the error message
> just beneath the changed line to also reflect the function call change.
> 

Hi Jaco,
	For completeness I should have displayed that file. Yes it only has the 
root.

> $ cat usherchain
> -----BEGIN CERTIFICATE-----
> MIIEPzCCAyegAwIBAgIBATANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzEh
> MB8GA1UEChMYVVMgSGlnaGVyIEVkdWNhdGlvbiBSb290MQwwCgYDVQQLEwNDQTEx
> FTATBgNVBAMTDFVTSEVSIENBMSB2MTAeFw0wNjA0MTkxNzUwMzJaFw0yNjA0MTkx
> NzUwMzJaMFUxCzAJBgNVBAYTAlVTMSEwHwYDVQQKExhVUyBIaWdoZXIgRWR1Y2F0
> aW9uIFJvb3QxDDAKBgNVBAsTA0NBMTEVMBMGA1UEAxMMVVNIRVIgQ0ExIHYxMIIB
> IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuyiTe98iSAaXIK5Rk8CBP57g
> 8f1fwg8tnVSrLVLrqWEJIQ/vLpSWwfUf0XM7ziH6rWWyraC3b6tnfwx4Rx+jwbNp
> f5CcV/r3QNYuDSx462wVYfUDsnxmLBJFJEGgeEXPNxfR6p7B4WElvv1lrPvVQdy+
> 17vDY6y8fTqbzt2/VM+DP1NgXXzHirP2zMOuhz1Y8+rgXBv6juDtd+BA+xg8Z/Mv
> vvo7GSxXG6lJTS9YVfsJaI2MgXHYbA9rUyAf9k7r56+fQYXHE26nYHDn/0ZufxXz
> oiXgVvfL78nrMYGqW18z+MHaGMfHsex+k3on85ID39rq+xBMsirtK5zR4UnoTQID
> AQABo4IBGDCCARQwHQYDVR0OBBYEFCadIurssA9rIQr22S8gymVQ7BvTMH0GA1Ud
> IwR2MHSAFCadIurssA9rIQr22S8gymVQ7BvToVmkVzBVMQswCQYDVQQGEwJVUzEh
> MB8GA1UEChMYVVMgSGlnaGVyIEVkdWNhdGlvbiBSb290MQwwCgYDVQQLEwNDQTEx
> FTATBgNVBAMTDFVTSEVSIENBMSB2MYIBATAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud
> DwEB/wQEAwIBBjBTBgNVHSAETDBKMEgGCisGAQQBgcEWAgIwOjA4BggrBgEFBQcC
> ARYsaHR0cDovL3d3dy51c2hlcmNhLm9yZy9wcmFjdGljZXMvY2ExL2Nwcy5wZGYw
> DQYJKoZIhvcNAQEFBQADggEBAGd3CA4UTBa9oC+0ryQRK3wDeA5g10mMwzK8Fcyh
> XXmD4mnZh84fwusGeWqMQZ/JWlvJ3rf9v4yKsYaSM+AKf6aRDR4A4AarDzNUGjMq
> 3vY6Kc1Dup/UcWAokJweQllUfExjw7utM08czZqzdEqi/XMcLQcU1AjrdYm6pmWV
> pUKfKNgicX3Gy51skz8v11JGWtSONAkqZeuqDlPAZVTXCOqi1qUk4eK4DE3f8L+y
> GPEdqCGFwCfdB1Hc5aoSSB5t5UHb2LyEE6yBrcjKUUkuDEUfHup4QnV4X9shrPs5
> 8uS6y+JwlVwsGPw6vvAgiwMDQRAuyk43GoQUK1dwuciYmgk=
> -----END CERTIFICATE-----




> It should be noted that use_certificate_chain_file _REQUIRES_ that the
> file be in PEM format (The way in which ejabberd was using it already made
> this assumption so this won't be a problem), it is also possible to encode
> the entire chain using DER format, however I'm not sure how one would go
> about loading that into OpenSSL (I suspect one may need to use
> use_certificate_file again - the DER encoding indicates whether a single
> certificate is contained or whether there are multiple certificates).
> 

What struck me as odd was that in the Oreilly OpenSSL book it says that 
you must have the entire chain in the file you pass to 
use_certificate_chain_file. It must do something to validate the chain 
and then not send the root.

> Just applied to tlug.up.ac.za and the patch does indeed function
> correctly, by simply appending the intermediate certificate to the file
> the entire chain is properly passed to the client.
> 

Good! Maybe I can roll this out on jabber.org soon.


> Jaco
> _______________________________________________
> ejabberd mailing list
> ejabberd at jabber.ru
> http://lists.jabber.ru/mailman/listinfo/ejabberd

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3357 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.jabber.ru/pipermail/ejabberd/attachments/20061220/5bb8e7a9/smime.bin


More information about the ejabberd mailing list