We're updating the issue view to help you get more done. 

Openfire fails to verify chained certificates

Description

(3:52:24 PM) jdev@conference.jabber.org/seth: sorry to privmsg you, but I was hoping I could get your help on what looks like an openfire issue. Do you have a minute to chat?
(3:54:28 PM) Guus: hi
(3:54:34 PM) jdev@conference.jabber.org/seth: hi
(3:54:48 PM) Guus: actually, I'm very busy :/
(3:54:58 PM) jdev@conference.jabber.org/seth: yes
(3:54:59 PM) jdev@conference.jabber.org/seth: http://community.igniterealtime.org/thread/42845
(3:55:06 PM) jdev@conference.jabber.org/seth: intermediate (chaining) certs
(3:55:15 PM) jdev@conference.jabber.org/seth: ignore my emails
(3:55:16 PM) jdev@conference.jabber.org/seth: yeah
(3:55:31 PM) jdev@conference.jabber.org/seth: the emails were when I thought this issue was related to another - it's not - I spent last week testing it
(3:55:49 PM) jdev@conference.jabber.org/seth: the problem is when the certfile presented to openfire has more than one cert in it. Openfire drops the tls connection
(3:56:01 PM) Guus: ah
(3:56:08 PM) Guus: that might explain for some issues that I've been seeing
(3:56:27 PM) jdev@conference.jabber.org/seth: I have a godaddy cert which requires 3 intermediates
(3:56:41 PM) jdev@conference.jabber.org/seth: When I bundle them, openfire to prosody fails.
(3:56:52 PM) jdev@conference.jabber.org/seth: when I use just my cert (get rid of the other intermediates), it works
(3:57:01 PM) jdev@conference.jabber.org/seth: BUT then the clients complain because the chaining is broken
(3:58:25 PM) jdev@conference.jabber.org/seth: I also tried all the (documented) available options.
(3:58:37 PM) Guus: I'm terribly busy at the moment
(3:58:44 PM) jdev@conference.jabber.org/seth: ok
(3:58:44 PM) Guus: I'll copy/paste this conversation in a new JIRA issue
(3:58:48 PM) Guus: and figure it out later, ok?
(3:59:09 PM) jdev@conference.jabber.org/seth: thanks. yeah. THis is a bit important to me, so any attention you could give it would be greatly appreciated. Thank you very much.
(3:59:26 PM) Guus: I'm always happy to accept patches
(3:59:43 PM) jdev@conference.jabber.org/seth: I don't know java at all. If openfire were written in python, ...

Environment

None

Acceptance Test - Entry

None

Activity

Show:
Rene Voegeli
February 1, 2015, 11:37 AM

Hi Daryl,

no worries. The deb package is showing up, however I get a 404 error when I try to download it
<Error><Code>NoSuchKey</Code><Message>The specified key does not exist.</Message><Key>openfire/openfire_3.10.0.beta_all.deb</Key><RequestId>C95AD7DD55F1E9CB</RequestId><HostId>Ty7uSaryXbE1nMK4IlwA2oM5nA2WiYSbLA8bZmpHBV9+Pnp/CkytdQyWAIpATH7v</HostId></Error>

I'm testing with the nightly now to reconstruct my SSL handshake problem and post an issue in the forums.

Cheers,
Rene

Rene Voegeli
February 1, 2015, 12:04 PM

In the meantime I'm happy to call this issue here fixed for me with the latest nightly. Looks like the server-to-server connection was established successfully

Neustradamus
February 1, 2015, 2:16 PM

nice with the latest nightly (not the beta)

Daryl Herzmann
February 2, 2015, 2:06 PM

@Rene, sorry about that. While I fixed the file name, I failed to upload that fixed name to S3, so that is why the download would fail. I uploaded it on Sunday and verified that the download works now.

Rene Voegeli
February 3, 2015, 5:34 PM

@Daryl: Thank you I "downgraded" to the beta, the fix for this issue is still working for me (as expected).

Still having my SSL problem, though. :/ Could you have a look at my forum post? Maybe post an issue in the tracker?

Cheers,
Rene

Assignee

Dave Cridland

Reporter

Guus der Kinderen

Labels

None

Expected Effort

None

Ignite Forum URL

Components

Fix versions

Affects versions

Priority

Major
Configure