We're updating the issue view to help you get more done. 

Client certificate authentication with BOSH not working in Openfire 4.0.x

Description

My colleague and I have been testing client certificate authentication with BOSH, using Swift and Openfire.

We managed to get it working with Openfire 3.10.3, but not on Openfire 4.0.x.

I looked through the code, and the reason appears to be due to some refactoring that was done to the code involved.

Particularly this commit appears to be relevant:
https://github.com/igniterealtime/Openfire/commit/e58d590b3027d3e569ea18b01e3b998da202e7e8

Environment

None

Acceptance Test - Entry

None

Activity

Show:
Dele Olajide
February 28, 2018, 11:14 AM

I have narrowed it down to this

String c2sTrustStoreLocation = JiveGlobals.getHomeDirectory() + File.separator + "resources" + File.separator + "security" + File.separator + "client.truststore";

sslContextFactory.setTrustStorePath(c2sTrustStoreLocation);
sslContextFactory.setWantClientAuth(true);

Guus der Kinderen
March 5, 2018, 3:05 PM

I believe that this issue can be worked around by explicitly defining a property named xmpp.bosh.ssl.client.truststore and have its value be the client truststore file path.

Looking at the code, I'd guess that adding the client certificates to {{truststore}} instead of client.truststore would also have done the trick. Can you confirm that?

Nonetheless, client.truststore is what Openfire traditionally used. We should revert back to that default, I think.

Dele Olajide
March 6, 2018, 12:02 AM
Edited

I just tried it and I did not get the prompt to select a client certificate from Chrome. When I tested previously to discover the minimum changes required, "sslContextFactory.setWantClientAuth(true);" was necessary.

Guus der Kinderen
March 8, 2018, 3:21 PM

Reopening, as another change is needed, as mentioned:

Guus der Kinderen
March 8, 2018, 8:32 PM

Client certificate configuration for BOSH uses a different property than the same feature for plain sockets. For BOSH, one needs to set: httpbind.client.cert.policy

We should have, but do not have, some kind of admin interface for this.

Assignee

Guus der Kinderen

Reporter

JC Brand

Labels

Expected Effort

None

Ignite Forum URL

None

Components

Fix versions

Affects versions

Priority

Major
Configure