Openfire fails to verify chained certificates


(3:52:24 PM) sorry to privmsg you, but I was hoping I could get your help on what looks like an openfire issue. Do you have a minute to chat?
(3:54:28 PM) Guus: hi
(3:54:34 PM) hi
(3:54:48 PM) Guus: actually, I'm very busy :/
(3:54:58 PM) yes
(3:54:59 PM)
(3:55:06 PM) intermediate (chaining) certs
(3:55:15 PM) ignore my emails
(3:55:16 PM) yeah
(3:55:31 PM) the emails were when I thought this issue was related to another - it's not - I spent last week testing it
(3:55:49 PM) the problem is when the certfile presented to openfire has more than one cert in it. Openfire drops the tls connection
(3:56:01 PM) Guus: ah
(3:56:08 PM) Guus: that might explain for some issues that I've been seeing
(3:56:27 PM) I have a godaddy cert which requires 3 intermediates
(3:56:41 PM) When I bundle them, openfire to prosody fails.
(3:56:52 PM) when I use just my cert (get rid of the other intermediates), it works
(3:57:01 PM) BUT then the clients complain because the chaining is broken
(3:58:25 PM) I also tried all the (documented) available options.
(3:58:37 PM) Guus: I'm terribly busy at the moment
(3:58:44 PM) ok
(3:58:44 PM) Guus: I'll copy/paste this conversation in a new JIRA issue
(3:58:48 PM) Guus: and figure it out later, ok?
(3:59:09 PM) thanks. yeah. THis is a bit important to me, so any attention you could give it would be greatly appreciated. Thank you very much.
(3:59:26 PM) Guus: I'm always happy to accept patches
(3:59:43 PM) I don't know java at all. If openfire were written in python, ...




Rene Voegeli
February 3, 2015, 5:34 PM

@Daryl: Thank you I "downgraded" to the beta, the fix for this issue is still working for me (as expected).

Still having my SSL problem, though. :/ Could you have a look at my forum post? Maybe post an issue in the tracker?


Daryl Herzmann
February 2, 2015, 2:06 PM

@Rene, sorry about that. While I fixed the file name, I failed to upload that fixed name to S3, so that is why the download would fail. I uploaded it on Sunday and verified that the download works now.

February 1, 2015, 2:16 PM

nice with the latest nightly (not the beta)

Rene Voegeli
February 1, 2015, 12:04 PM

In the meantime I'm happy to call this issue here fixed for me with the latest nightly. Looks like the server-to-server connection was established successfully

Rene Voegeli
February 1, 2015, 11:37 AM

Hi Daryl,

no worries. The deb package is showing up, however I get a 404 error when I try to download it
<Error><Code>NoSuchKey</Code><Message>The specified key does not exist.</Message><Key>openfire/openfire_3.10.0.beta_all.deb</Key><RequestId>C95AD7DD55F1E9CB</RequestId><HostId>Ty7uSaryXbE1nMK4IlwA2oM5nA2WiYSbLA8bZmpHBV9+Pnp/CkytdQyWAIpATH7v</HostId></Error>

I'm testing with the nightly now to reconstruct my SSL handshake problem and post an issue in the forums.




Dave Cridland


Guus der Kinderen

Ignite Forum URL