ejabberd - Comments for "Installing self-signed certs for security in HTTP-bind" https://www.ejabberd.im/node/3802 en Browser shouldn't request client cert https://www.ejabberd.im/node/3802#comment-55075 <div class="quote-msg"> <div class="quote-author">Quote:</div> <p>Any other suggestions/configurations that I should be trying will be much appreciated.</p></div> <p>I have this configuration:</p> <pre> {listen, [ {5222, ejabberd_c2s, [ starttls, {certfile, "/etc/ejabberd/ssl.pem"}, {access, c2s}, {shaper, c2s_shaper}, {max_stanza_size, 65536} ]}, ... {5280, ejabberd_http, [ {request_handlers, [ {["jwchat"], mod_http_fileserver} ]}, tls, {certfile, "/etc/ejabberd/ssl.pem"}, http_bind ]} ]}. {modules, [ {mod_http_bind, []}, {mod_http_fileserver, [ {docroot, "/home/ejabberd/www/jwchat"} ]}, ... ]}. </pre><p> And the URL is: <noindex><a href="https://localhost:5280/jwchat/index.html" title="https://localhost:5280/jwchat/index.html" rel="nofollow" >https://localhost:5280/jwchat/index.html</a></noindex></p> <div class="quote-msg"> <div class="quote-author">Quote:</div> <p>Any idea whether running mod_http_fileserver along with HTTPS could be causing this issue - can you test your configuration with mod_http_fileserver enabled? </p></div> <p>That's the HTTP server I use.</p> <div class="quote-msg"> <div class="quote-author">Quote:</div> <p>On the certificate file, is you cert file (on port 5222 or 5280) the default certfile server.pem that comes with ejabberd installation or have you create a new one? </p></div> <p>I use the same cert on both ports. I created it self-signed some time ago, or maybe it was just the self-signed created some time ago by the binary installer, or by the Debian ejabberd package.</p> <div class="quote-msg"> <div class="quote-author">Quote:</div> <p>I tried FireFox (3.5) as well as Chrome (3.0) and all browsers are requesting a certificate from the client </p></div> <p>Strange, in my case they don't request anything.</p> Sun, 27 Dec 2009 22:59:00 +0000 mfoss comment 55075 at https://www.ejabberd.im Thanks! I tried FireFox (3.5) https://www.ejabberd.im/node/3802#comment-55068 <p>Thanks!</p> <p>I tried FireFox (3.5) as well as Chrome (3.0) and all browsers are requesting a certificate from the client which leads me to believe that it is not a browser issue. I am not sure it makes sense for ejabberd to request a certificate from the client for HTTPS connection. Any idea whether running mod_http_fileserver along with HTTPS could be causing this issue - can you test your configuration with mod_http_fileserver enabled?</p> <p>On the certificate file, is you cert file (on port 5222 or 5280) the default certfile server.pem that comes with ejabberd installation or have you create a new one?</p> <p>On the contacts not getting populated, that happens only with HTTPS enabled and not with regular HTTP. Comparing the log file that you posted with mine, I see that the last line in my ejabberd.log shows "Session timeout. Closing the HTTP bind session" - when/why does ejabberd timeout a connection?</p> <p>Any other suggestions/configurations that I should be trying will be much appreciated.</p> Wed, 23 Dec 2009 09:15:59 +0000 paveljohn comment 55068 at https://www.ejabberd.im Try Firefox. Otherwise review jwchat+ejabberd config. https://www.ejabberd.im/node/3802#comment-55067 <div class="quote-msg"> <div class="quote-author">Quote:</div> <p>When I connect to the server, I am prompted for a certificate (not sure why). In IE6 </p></div> <p>I tried this with Firefox 3.5. You can check if the browser is an important factor.</p> <div class="quote-msg"> <div class="quote-author">Quote:</div> <p>After I try to login, it pops up the window but my contacts are missing. </p></div> <p>Oh. When I had configuration problems (in jwchat or in ejabberd), i saw that, and also received a window "Service unavailable".</p> <div class="quote-msg"> <div class="quote-author">Quote:</div> <p>1. Upon connection why does the server ask for a certificate file? </p></div> <p>No idea.</p> <div class="quote-msg"> <div class="quote-author">Quote:</div> <p>2. Is a new certificate file required on the server? </p></div> <p>No. I have the same certfile... both in 5222 and 5280.</p> <div class="quote-msg"> <div class="quote-author">Quote:</div> <p>3. Why doesn't the contact list get populated? </p></div> <p>Because Jwchat or ejabberd found some problem.</p> <div class="quote-msg"> <div class="quote-author">Quote:</div> <p>4. Is the TLS handshake for ejabberd documented anywhere? </p></div> <p>It should use the standard one.</p> Wed, 23 Dec 2009 08:50:35 +0000 mfoss comment 55067 at https://www.ejabberd.im Thanks badlop for the https://www.ejabberd.im/node/3802#comment-55059 <p>Thanks badlop for the suggestion. I changed starttls to tls and now my configuration is:</p> <p> .....<br /> {5284, ejabberd_http, [<br /> {request_handlers, [<br /> {["web"], mod_http_fileserver}<br /> ]},<br /> http_bind,<br /> web_admin,<br /> tls,<br /> {certfile, "/ejabberd/conf/server.pem"}<br /> ]}<br /> ....</p> <p>When I connect to the server, I am prompted for a certificate (not sure why). In IE6 the dialog box says "Choose a digital certificate. The web site you want to view requests identification. ....." When I click "cancel", IE pops up a warning that the certificate may not be trusted and when I click OK it takes me to the Jwchat login page. After I try to login, it pops up the window but my contacts are missing. The log is posted below.</p> <p>Questions:<br /> ----------<br /> 1. Upon connection why does the server ask for a certificate file?<br /> 2. Is a new certificate file required on the server? I tried replacing server.pem with a self-signed cert that was signed by a CA that I created myself (for testing), but that did not help either.<br /> 3. Why doesn't the contact list get populated?<br /> 4. Is the TLS handshake for ejabberd documented anywhere?</p> <p>Thanks much!</p> <p>=INFO REPORT==== 2009-12-21 14:44:05 ===<br /> I(&lt;0.377.0&gt;:ejabberd_listener:229) : (#Port&lt;0.496&gt;) Accepted connection {{10,24,160,103},3257} -&gt; {{10,23,16,30},5284}</p> <p>=INFO REPORT==== 2009-12-21 14:44:05 ===<br /> I(&lt;0.273.0&gt;:ejabberd_http:131) : started: {tls,<br /> {tlssock,#Port&lt;0.496&gt;,<br /> #Port&lt;0.497&gt;}}</p> <p>=INFO REPORT==== 2009-12-21 14:44:05 ===<br /> I(&lt;0.377.0&gt;:ejabberd_listener:229) : (#Port&lt;0.502&gt;) Accepted connection {{10,24,160,103},3260} -&gt; {{10,23,16,30},5284}</p> <p>=INFO REPORT==== 2009-12-21 14:44:05 ===<br /> I(&lt;0.273.0&gt;:ejabberd_http:131) : started: {tls,<br /> {tlssock,#Port&lt;0.502&gt;,<br /> #Port&lt;0.503&gt;}}</p> <p>=INFO REPORT==== 2009-12-21 14:44:06 ===<br /> I(&lt;0.403.0&gt;:ejabberd_c2s:703) : ({socket_state,ejabberd_http_bind,{http_bind,&lt;0.402.0&gt;,{{10,24,160,103},3256}},ejabberd_http_bind}) Accepted authentication for pavel by ejabberd_auth_internal</p> <p>=ERROR REPORT==== 2009-12-21 14:45:06 ===<br /> W(&lt;0.402.0&gt;:ejabberd_http_bind:486) : Session timeout. Closing the HTTP bind session: "91781505bb407f681cee53883b025efc8254665f"</p> Mon, 21 Dec 2009 22:55:48 +0000 paveljohn comment 55059 at https://www.ejabberd.im For HTTPS use option tls https://www.ejabberd.im/node/3802#comment-55058 <p>The Guide says:</p> <pre> ejabberd_http Handles incoming HTTP connections. Options: captcha, certfile, http_bind, http_poll, request_handlers, tls, web_admin </pre><p> And also shows an example:</p> <pre> {{5281, "127.0.0.1"}, ejabberd_http, [ web_admin, tls, {certfile, "/etc/ejabberd/server.pem"}, ]} </pre><p> So, tls is for old 5223 SSL and for HTTPS. starttls is for the new XMPP STARTTLS.<br /> Try to put tls instead of starttls.</p> <p>Unfortunately, the guide doesn't mention "and for HTTPS". Once you try and confirm here that tls option is the good one, I'll make sure that sentence is added in the Guide.</p> <p>I get this in the log:</p> <pre> =INFO REPORT==== 21-Dec-2009::17:21:28 === I(&lt;0.540.0&gt;:ejabberd_listener:229) : (#Port&lt;0.3921&gt;) Accepted connection {{127,0,0,1},58383} -&gt; {{127,0,0,1},5282} =INFO REPORT==== 21-Dec-2009::17:21:28 === I(&lt;0.541.0&gt;:ejabberd_http:137) : started: {tls, {tlssock,#Port&lt;0.3921&gt;, #Port&lt;0.3928&gt;}} =INFO REPORT==== 21-Dec-2009::17:21:29 === I(&lt;0.543.0&gt;:ejabberd_c2s:702) : ({socket_state,ejabberd_http_bind,{http_bind,&lt;0.542.0&gt;,{{127,0,0,1},58383}},ejabberd_http_bind}) Accepted authentication for badlop by ejabberd_auth_internal =INFO REPORT==== 21-Dec-2009::17:21:29 === I(&lt;0.543.0&gt;:ejabberd_c2s:816) : ({socket_state,ejabberd_http_bind,{http_bind,&lt;0.542.0&gt;, {{127,0,0,1},58383}},ejabberd_http_bind}) Opened session for badlop@localhost/jwchat </pre> Mon, 21 Dec 2009 16:33:42 +0000 mfoss comment 55058 at https://www.ejabberd.im