[ejabberd] Re: SSL/TLS with ICA

Jonathan Siegle jsiegle at psu.edu
Wed Dec 20 15:03:37 MSK 2006

Jaco Kroon wrote:
> Hi,

> So permitting the only certificate in the file usherchain was the root CA
> file then the given s_client session in the previous post is correct.  The
> patch looks good, except I'd recommend to also update the error message
> just beneath the changed line to also reflect the function call change.

Hi Jaco,
	For completeness I should have displayed that file. Yes it only has the 

> $ cat usherchain
> 8f1fwg8tnVSrLVLrqWEJIQ/vLpSWwfUf0XM7ziH6rWWyraC3b6tnfwx4Rx+jwbNp
> f5CcV/r3QNYuDSx462wVYfUDsnxmLBJFJEGgeEXPNxfR6p7B4WElvv1lrPvVQdy+
> 17vDY6y8fTqbzt2/VM+DP1NgXXzHirP2zMOuhz1Y8+rgXBv6juDtd+BA+xg8Z/Mv
> vvo7GSxXG6lJTS9YVfsJaI2MgXHYbA9rUyAf9k7r56+fQYXHE26nYHDn/0ZufxXz
> oiXgVvfL78nrMYGqW18z+MHaGMfHsex+k3on85ID39rq+xBMsirtK5zR4UnoTQID
> ARYsaHR0cDovL3d3dy51c2hlcmNhLm9yZy9wcmFjdGljZXMvY2ExL2Nwcy5wZGYw
> XXmD4mnZh84fwusGeWqMQZ/JWlvJ3rf9v4yKsYaSM+AKf6aRDR4A4AarDzNUGjMq
> 3vY6Kc1Dup/UcWAokJweQllUfExjw7utM08czZqzdEqi/XMcLQcU1AjrdYm6pmWV
> pUKfKNgicX3Gy51skz8v11JGWtSONAkqZeuqDlPAZVTXCOqi1qUk4eK4DE3f8L+y
> GPEdqCGFwCfdB1Hc5aoSSB5t5UHb2LyEE6yBrcjKUUkuDEUfHup4QnV4X9shrPs5
> 8uS6y+JwlVwsGPw6vvAgiwMDQRAuyk43GoQUK1dwuciYmgk=

> It should be noted that use_certificate_chain_file _REQUIRES_ that the
> file be in PEM format (The way in which ejabberd was using it already made
> this assumption so this won't be a problem), it is also possible to encode
> the entire chain using DER format, however I'm not sure how one would go
> about loading that into OpenSSL (I suspect one may need to use
> use_certificate_file again - the DER encoding indicates whether a single
> certificate is contained or whether there are multiple certificates).

What struck me as odd was that in the Oreilly OpenSSL book it says that 
you must have the entire chain in the file you pass to 
use_certificate_chain_file. It must do something to validate the chain 
and then not send the root.

> Just applied to tlug.up.ac.za and the patch does indeed function
> correctly, by simply appending the intermediate certificate to the file
> the entire chain is properly passed to the client.

Good! Maybe I can roll this out on jabber.org soon.

> Jaco
> _______________________________________________
> ejabberd mailing list
> ejabberd at jabber.ru
> http://lists.jabber.ru/mailman/listinfo/ejabberd

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3357 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.jabber.ru/pipermail/ejabberd/attachments/20061220/5bb8e7a9/smime.bin

More information about the ejabberd mailing list