ejabberd - Comments for "multiple domains, multiple SSL certificates" https://www.ejabberd.im/node/3096 en that seems to have solved it https://www.ejabberd.im/node/3096#comment-53299 <p>I was using the old-style SSL rather than STARTTLS because STARTTLS was only working erratically, but everything seems to be working OK now.</p> <p>As far as using multiple certs for old-style SSL goes, do you think it might work to run multiple ejabberd instances on listening on different IPs? I've been considering whether such a solution might work anyways to solve my gtalk issues (<a href="http://www.ejabberd.im/node/3091" title="http://www.ejabberd.im/node/3091">http://www.ejabberd.im/node/3091</a>).</p> Mon, 16 Jun 2008 02:25:23 +0000 foolishpuck comment 53299 at https://www.ejabberd.im First, note that the usage https://www.ejabberd.im/node/3096#comment-53298 <p>First, note that the usage of SSL encryption in port 5223 is not part of XMPP, it is a feature from old Jabber. The XMPP-way is to use STARTTLS encryption in port 5222. Most Jabber/XMPP clients support both methods, and new clients and libraries only support STARTTLS already.</p> <p>Second: you understood correctly the usage of domain_certfile, however it isn't possible to use per-vhost certificates with SSL encryption. See this <noindex><a href="http://thread.gmane.org/gmane.network.jabber.ejabberd/3471" rel="nofollow" >mailing list thread</a></noindex>:</p> <div class="quote-msg"> <div class="quote-author"><em>Jesse Thompson</em> wrote:</div> <p>You can't use individual domain certificates with SSL connections (port<br /> 5223 and web) because the certificate is used to encrypt the connection<br /> before the client can tell the server which domain it's trying to<br /> connect to.</p> <p>But it will work with port 5222 (TLS+SASL) since the initial connection<br /> is made in plain text and the client is able to tell the server which<br /> domain it's trying to connect to prior to the connection being encrypted.</p> </div> <p>Reading the source code of ejabberd 2.0.1, this should work for STARTTLS:</p> <pre> {hosts, ["example.org", "example.com"]}. {listen, [ {5222, ejabberd_c2s, [ %% %% If TLS is compiled and you installed a SSL %% certificate, put the correct path to the %% file and uncomment this line: %% %%{certfile, "/path/to/ssl.pem"}, starttls, %% No need to specify certfile here, check domain_certfile starttls, {access, c2s}, {shaper, c2s_shaper}, {max_stanza_size, 65536} ]}, ... ] }. %% %% domain_certfile: Specify a different certificate for each served hostname. %% {domain_certfile, "example.org", "/path/to/example_org.pem"}. {domain_certfile, "example.com", "/path/to/example_com.pem"}. </pre> Sun, 15 Jun 2008 21:13:19 +0000 mfoss comment 53298 at https://www.ejabberd.im