Client certificate authentication with BOSH not working in Openfire 4.0.x


My colleague and I have been testing client certificate authentication with BOSH, using Swift and Openfire.

We managed to get it working with Openfire 3.10.3, but not on Openfire 4.0.x.

I looked through the code, and the reason appears to be due to some refactoring that was done to the code involved.

Particularly this commit appears to be relevant:




Guus der Kinderen
March 8, 2018, 8:32 PM

Client certificate configuration for BOSH uses a different property than the same feature for plain sockets. For BOSH, one needs to set: httpbind.client.cert.policy

We should have, but do not have, some kind of admin interface for this.

Guus der Kinderen
March 8, 2018, 3:21 PM

Reopening, as another change is needed, as mentioned:

Dele Olajide
March 6, 2018, 12:02 AM

I just tried it and I did not get the prompt to select a client certificate from Chrome. When I tested previously to discover the minimum changes required, "sslContextFactory.setWantClientAuth(true);" was necessary.

Guus der Kinderen
March 5, 2018, 3:05 PM

I believe that this issue can be worked around by explicitly defining a property named xmpp.bosh.ssl.client.truststore and have its value be the client truststore file path.

Looking at the code, I'd guess that adding the client certificates to {{truststore}} instead of client.truststore would also have done the trick. Can you confirm that?

Nonetheless, client.truststore is what Openfire traditionally used. We should revert back to that default, I think.

Dele Olajide
February 28, 2018, 11:14 AM

I have narrowed it down to this

String c2sTrustStoreLocation = JiveGlobals.getHomeDirectory() + File.separator + "resources" + File.separator + "security" + File.separator + "client.truststore";


Your pinned fields
Click on the next to a field label to start pinning.


Guus der Kinderen


JC Brand