Client certificate configuration for BOSH uses a different property than the same feature for plain sockets. For BOSH, one needs to set: httpbind.client.cert.policy
We should have, but do not have, some kind of admin interface for this.
Guus der Kinderen March 8, 2018 at 3:21 PM
Reopening, as another change is needed, as mentioned:
Dele Olajide March 6, 2018 at 12:02 AM
Edited
I just tried it and I did not get the prompt to select a client certificate from Chrome. When I tested previously to discover the minimum changes required, "sslContextFactory.setWantClientAuth(true);" was necessary.
Guus der Kinderen March 5, 2018 at 3:05 PM
I believe that this issue can be worked around by explicitly defining a property named xmpp.bosh.ssl.client.truststore and have its value be the client truststore file path.
Looking at the code, I'd guess that adding the client certificates to {{truststore}} instead of client.truststore would also have done the trick. Can you confirm that?
Nonetheless, client.truststore is what Openfire traditionally used. We should revert back to that default, I think.
My colleague and I have been testing client certificate authentication with BOSH, using Swift and Openfire.
We managed to get it working with Openfire 3.10.3, but not on Openfire 4.0.x.
I looked through the code, and the reason appears to be due to some refactoring that was done to the code involved.
Particularly this commit appears to be relevant:
https://github.com/igniterealtime/Openfire/commit/e58d590b3027d3e569ea18b01e3b998da202e7e8