I enabled HTTPS access to ejabberd with
--- 8< ---
{5280, ejabberd_http, [
http_poll,
web_admin,
tls, {certfile, "/etc/ejabberd/xmpp.pem"}
]}
--- 8< ---
This works fine, since the xmpp.pem contains the key, the cert and the cert chain.
When I access the webinterface ejabberd asks for a client certificate (since I have two imported in my browser). But the certificate is never used:
- I can access the webif with every browser without having a client certifcate.
- I can choose a "wrong" certificate (I have one which follows the same cert chain (»Deutsche Telekom Root CA2«, DFN, my university) as xmpp.pem above, and one from CACert)
From what I know, ejabberd
From what I know, ejabberd only uses the server certificate to guarantee the server is the real server. And ejabberd verifies the user is the real user only by requesting the XMPP account password.
So, it seems we have two different topics here:
It would be nice if you can try that with ejabberd 2.1.0 and comment if the problem is still present.
Or if you can provide a simple way to test this, so even inexperienced people can test if that is solved or not. Maybe using console programs like lynx/wget/w3m/...?
BTW, there's a related ticket:Do not ask certificate for client (c2s)
With all the information that you will provide, I'll submit a ticket for the bug.