Home » Forums » ejabberd & XMPP » ejabberd Administration

[2.0.5] https webif asks for client certicate, but accepts every

Submitted by mime on Wed, 2009-11-11 16:01

I enabled HTTPS access to ejabberd with

--- 8< ---
{5280, ejabberd_http, [
http_poll,
web_admin,
tls, {certfile, "/etc/ejabberd/xmpp.pem"}
]}
--- 8< ---

This works fine, since the xmpp.pem contains the key, the cert and the cert chain.

When I access the webinterface ejabberd asks for a client certificate (since I have two imported in my browser). But the certificate is never used:

- I can access the webif with every browser without having a client certifcate.
- I can choose a "wrong" certificate (I have one which follows the same cert chain (»Deutsche Telekom Root CA2«, DFN, my university) as xmpp.pem above, and one from CACert)

‹ [2.0.5] changing of username with shared roster makes the user appear offline while creating clustter ›

From what I know, ejabberd

Submitted by mfoss on Mon, 2009-11-16 13:10.

From what I know, ejabberd only uses the server certificate to guarantee the server is the real server. And ejabberd verifies the user is the real user only by requesting the XMPP account password.

So, it seems we have two different topics here:

  1. bug: ejabberd should no ask for a client certificate, because client-certificate-verification isn't implemented.
  2. feature: ejabberd could support to request and verify client certificate. And this could be optional.

It would be nice if you can try that with ejabberd 2.1.0 and comment if the problem is still present.

Or if you can provide a simple way to test this, so even inexperienced people can test if that is solved or not. Maybe using console programs like lynx/wget/w3m/...?

BTW, there's a related ticket: Do not ask certificate for client (c2s)

With all the information that you will provide, I'll submit a ticket for the bug.

»
Syndicate content

User login