New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ejabberd 18.03 sends server cerfile instead of the domin_cerfile as specified in the jid domain_part #2371
Comments
I don't think so. The option |
I have made changes to some incorrect observation in my last comments. The problem only happen on atalk.org domain. If I commented out atalk.sytes.net.pem in certfiles section i.e. Then ejabberd 18.03 uses the correct atalk.org.pem cerfile when establishing the session with aaa123@atalk.org. When user on aTalk client first login, it will display the exact content of the ssl cert for user approval. The above observation is reflected exactly in the aTalk certification display content for the two test cases. The atalk.org.pem content is shown below:
|
So what? Why don't you think that's a problem of your client setting either SNI or doing STARTTLS incorrectly? Could you please check with some existing proven to be working clients such as Conversations? |
aTalk was fully working with ejabberd v17.08 without the reported problem. To allow me to continue with the aTalk testing with ejabberd v18.03, I temporally comment out the atalk.sytes.net.pem cert.
There is no problem with Conversations, because it checks the ssl cert against both the Domain and Host name. atalk.sytes.net is the FQDN of the ejabberd v18.03 server
|
In that case there are hundreds of servers with much more sofisticated certificates configuration and they don't have such problems. |
The following is the output of openssl, but not sure if I use the cli correctly. The received cert seems correct for atalk.org. Look like I need to get back to Smack team for some advice. My apology if the problem is indeed within aTalk client.
|
Below is the captured ejabberd.log showing the initial login TLS handshake between atalk.org client and ejabberd v18.03 server. I also captured the TLSv1.2 protocol exchanges using wireshark between the two entities and check for the certificate content sent from ejabberd v18.03. The actual ssl cert sent by ejabberd v18.03 during the xmpp TLS handshake is different from when using openssl cli.
|
This is strange anyway, because for
(with sensitive data removed). |
It seems like your client sets
|
You are correct. The client actually sets the serverName to atalk.sytes.net. I need to review the aTalk source and refer the issue to smack team for advice.
Below is the ejabberd configurations
|
Hi Zinid, Smack team has proposed a working solution. See link below: |
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
hosts:
certfiles:
With the above configurations, ejabberd always send users e.g. aaa123@atalk.org and xyz123@icrypto.com the atalk.sytes.net.pem instead of the specific correct domain_certfile.
The text was updated successfully, but these errors were encountered: