Hi there,
I'm having problems setting up SSL certificates for multiple domains. From the documentation, I gather that the domain_certfile setting is used to specify the certificate for each domain, but as far as I can tell that setting is being ignored. SSL seems to be working fine for the primary domain using the certfile paramater. I'm only using SSL encryption between the client and server, not between servers (yet).
Does anybody have a working example of how one would go about setting this up?
First, note that the usage
First, note that the usage of SSL encryption in port 5223 is not part of XMPP, it is a feature from old Jabber. The XMPP-way is to use STARTTLS encryption in port 5222. Most Jabber/XMPP clients support both methods, and new clients and libraries only support STARTTLS already.
Second: you understood correctly the usage of domain_certfile, however it isn't possible to use per-vhost certificates with SSL encryption. See this :
You can't use individual domain certificates with SSL connections (port
5223 and web) because the certificate is used to encrypt the connection
before the client can tell the server which domain it's trying to
connect to.
But it will work with port 5222 (TLS+SASL) since the initial connection
is made in plain text and the client is able to tell the server which
domain it's trying to connect to prior to the connection being encrypted.
Reading the source code of ejabberd 2.0.1, this should work for STARTTLS:
{hosts, ["example.org", "example.com"]}. {listen, [ {5222, ejabberd_c2s, [ %% %% If TLS is compiled and you installed a SSL %% certificate, put the correct path to the %% file and uncomment this line: %% %%{certfile, "/path/to/ssl.pem"}, starttls, %% No need to specify certfile here, check domain_certfile starttls, {access, c2s}, {shaper, c2s_shaper}, {max_stanza_size, 65536} ]}, ... ] }. %% %% domain_certfile: Specify a different certificate for each served hostname. %% {domain_certfile, "example.org", "/path/to/example_org.pem"}. {domain_certfile, "example.com", "/path/to/example_com.pem"}.that seems to have solved it
I was using the old-style SSL rather than STARTTLS because STARTTLS was only working erratically, but everything seems to be working OK now.
As far as using multiple certs for old-style SSL goes, do you think it might work to run multiple ejabberd instances on listening on different IPs? I've been considering whether such a solution might work anyways to solve my gtalk issues (http://www.ejabberd.im/node/3091).