Client certificate authentication with BOSH not working in Openfire 4.0.x

Description

My colleague and I have been testing client certificate authentication with BOSH, using Swift and Openfire.

We managed to get it working with Openfire 3.10.3, but not on Openfire 4.0.x.

I looked through the code, and the reason appears to be due to some refactoring that was done to the code involved.

Particularly this commit appears to be relevant:
https://github.com/igniterealtime/Openfire/commit/e58d590b3027d3e569ea18b01e3b998da202e7e8

Environment

None

Activity

Show:
Guus der Kinderen
March 8, 2018, 8:32 PM

Client certificate configuration for BOSH uses a different property than the same feature for plain sockets. For BOSH, one needs to set: httpbind.client.cert.policy

We should have, but do not have, some kind of admin interface for this.

Guus der Kinderen
March 8, 2018, 3:21 PM

Reopening, as another change is needed, as mentioned:

Dele Olajide
March 6, 2018, 12:02 AM
Edited

I just tried it and I did not get the prompt to select a client certificate from Chrome. When I tested previously to discover the minimum changes required, "sslContextFactory.setWantClientAuth(true);" was necessary.

Guus der Kinderen
March 5, 2018, 3:05 PM

I believe that this issue can be worked around by explicitly defining a property named xmpp.bosh.ssl.client.truststore and have its value be the client truststore file path.

Looking at the code, I'd guess that adding the client certificates to {{truststore}} instead of client.truststore would also have done the trick. Can you confirm that?

Nonetheless, client.truststore is what Openfire traditionally used. We should revert back to that default, I think.

Dele Olajide
February 28, 2018, 11:14 AM

I have narrowed it down to this

String c2sTrustStoreLocation = JiveGlobals.getHomeDirectory() + File.separator + "resources" + File.separator + "security" + File.separator + "client.truststore";

sslContextFactory.setTrustStorePath(c2sTrustStoreLocation);
sslContextFactory.setWantClientAuth(true);

Fixed
Your pinned fields
Click on the next to a field label to start pinning.

Assignee

Guus der Kinderen

Reporter

JC Brand

Labels