Installing self-signed certs for security in HTTP-bind

I have ejabberd 2.1.0 running and use Jwchat as the client (using HTTP-bind with mod_http_fileserver) enabled. Can someone please tell how to include self-signed certificates on the server?

I tried including the default certificate from ejabberd but the broswer was not prompted for the certificate not do I see the messages getting encrypted. The configuration with the default certificate I used is:

   .....
   {5280, ejabberd_http, [
                         {request_handlers, [
                                             {["web"], mod_http_fileserver}
                         ]},
                         http_bind,
                         web_admin,
                         starttls,
                         {certfile, "/ejabberd/conf/server.pem"}
                        ]}
   ....

Thanks!

For HTTPS use option tls

The Guide says:

ejabberd_http
    Handles incoming HTTP connections.
    Options: captcha, certfile, http_bind, http_poll, request_handlers, tls, web_admin

And also shows an example:

  {{5281, "127.0.0.1"}, ejabberd_http, [
                                        web_admin,
                                        tls, {certfile, "/etc/ejabberd/server.pem"},
                                       ]}

So, tls is for old 5223 SSL and for HTTPS. starttls is for the new XMPP STARTTLS.
Try to put tls instead of starttls.

Unfortunately, the guide doesn't mention "and for HTTPS". Once you try and confirm here that tls option is the good one, I'll make sure that sentence is added in the Guide.

I get this in the log:

=INFO REPORT==== 21-Dec-2009::17:21:28 ===
I(<0.540.0>:ejabberd_listener:229) : 
(#Port<0.3921>) Accepted connection {{127,0,0,1},58383} -> {{127,0,0,1},5282}

=INFO REPORT==== 21-Dec-2009::17:21:28 ===
I(<0.541.0>:ejabberd_http:137) : 
started: {tls, {tlssock,#Port<0.3921>, #Port<0.3928>}}

=INFO REPORT==== 21-Dec-2009::17:21:29 ===
I(<0.543.0>:ejabberd_c2s:702) : 
({socket_state,ejabberd_http_bind,{http_bind,<0.542.0>,{{127,0,0,1},58383}},ejabberd_http_bind})
Accepted authentication for badlop by ejabberd_auth_internal

=INFO REPORT==== 21-Dec-2009::17:21:29 ===
I(<0.543.0>:ejabberd_c2s:816) : 
({socket_state,ejabberd_http_bind,{http_bind,<0.542.0>,
{{127,0,0,1},58383}},ejabberd_http_bind}) 
Opened session for badlop@localhost/jwchat

Thanks badlop for the

Thanks badlop for the suggestion. I changed starttls to tls and now my configuration is:

.....
{5284, ejabberd_http, [
{request_handlers, [
{["web"], mod_http_fileserver}
]},
http_bind,
web_admin,
tls,
{certfile, "/ejabberd/conf/server.pem"}
]}
....

When I connect to the server, I am prompted for a certificate (not sure why). In IE6 the dialog box says "Choose a digital certificate. The web site you want to view requests identification. ....." When I click "cancel", IE pops up a warning that the certificate may not be trusted and when I click OK it takes me to the Jwchat login page. After I try to login, it pops up the window but my contacts are missing. The log is posted below.

Questions:
----------
1. Upon connection why does the server ask for a certificate file?
2. Is a new certificate file required on the server? I tried replacing server.pem with a self-signed cert that was signed by a CA that I created myself (for testing), but that did not help either.
3. Why doesn't the contact list get populated?
4. Is the TLS handshake for ejabberd documented anywhere?

Thanks much!

=INFO REPORT==== 2009-12-21 14:44:05 ===
I(<0.377.0>:ejabberd_listener:229) : (#Port<0.496>) Accepted connection {{10,24,160,103},3257} -> {{10,23,16,30},5284}

=INFO REPORT==== 2009-12-21 14:44:05 ===
I(<0.273.0>:ejabberd_http:131) : started: {tls,
{tlssock,#Port<0.496>,
#Port<0.497>}}

=INFO REPORT==== 2009-12-21 14:44:05 ===
I(<0.377.0>:ejabberd_listener:229) : (#Port<0.502>) Accepted connection {{10,24,160,103},3260} -> {{10,23,16,30},5284}

=INFO REPORT==== 2009-12-21 14:44:05 ===
I(<0.273.0>:ejabberd_http:131) : started: {tls,
{tlssock,#Port<0.502>,
#Port<0.503>}}

=INFO REPORT==== 2009-12-21 14:44:06 ===
I(<0.403.0>:ejabberd_c2s:703) : ({socket_state,ejabberd_http_bind,{http_bind,<0.402.0>,{{10,24,160,103},3256}},ejabberd_http_bind}) Accepted authentication for pavel by ejabberd_auth_internal

=ERROR REPORT==== 2009-12-21 14:45:06 ===
W(<0.402.0>:ejabberd_http_bind:486) : Session timeout. Closing the HTTP bind session: "91781505bb407f681cee53883b025efc8254665f"

Try Firefox. Otherwise review jwchat+ejabberd config.

Quote:

When I connect to the server, I am prompted for a certificate (not sure why). In IE6

I tried this with Firefox 3.5. You can check if the browser is an important factor.

Quote:

After I try to login, it pops up the window but my contacts are missing.

Oh. When I had configuration problems (in jwchat or in ejabberd), i saw that, and also received a window "Service unavailable".

Quote:

1. Upon connection why does the server ask for a certificate file?

No idea.

Quote:

2. Is a new certificate file required on the server?

No. I have the same certfile... both in 5222 and 5280.

Quote:

3. Why doesn't the contact list get populated?

Because Jwchat or ejabberd found some problem.

Quote:

4. Is the TLS handshake for ejabberd documented anywhere?

It should use the standard one.

Thanks! I tried FireFox (3.5)

Thanks!

I tried FireFox (3.5) as well as Chrome (3.0) and all browsers are requesting a certificate from the client which leads me to believe that it is not a browser issue. I am not sure it makes sense for ejabberd to request a certificate from the client for HTTPS connection. Any idea whether running mod_http_fileserver along with HTTPS could be causing this issue - can you test your configuration with mod_http_fileserver enabled?

On the certificate file, is you cert file (on port 5222 or 5280) the default certfile server.pem that comes with ejabberd installation or have you create a new one?

On the contacts not getting populated, that happens only with HTTPS enabled and not with regular HTTP. Comparing the log file that you posted with mine, I see that the last line in my ejabberd.log shows "Session timeout. Closing the HTTP bind session" - when/why does ejabberd timeout a connection?

Any other suggestions/configurations that I should be trying will be much appreciated.

Browser shouldn't request client cert

Quote:

Any other suggestions/configurations that I should be trying will be much appreciated.

I have this configuration:

{listen, [
  {5222, ejabberd_c2s, [
                        starttls, {certfile, "/etc/ejabberd/ssl.pem"},
                        {access, c2s},
                        {shaper, c2s_shaper},
                        {max_stanza_size, 65536}
                       ]},
  ...
  {5280, ejabberd_http, [
                         {request_handlers, [
                           {["jwchat"], mod_http_fileserver}
                         ]},
                         tls, {certfile, "/etc/ejabberd/ssl.pem"},
                         http_bind
                        ]}
]}.

{modules, [
  {mod_http_bind, []},
  {mod_http_fileserver, [ {docroot, "/home/ejabberd/www/jwchat"} ]},
  ...
]}.

And the URL is: https://localhost:5280/jwchat/index.html

Quote:

Any idea whether running mod_http_fileserver along with HTTPS could be causing this issue - can you test your configuration with mod_http_fileserver enabled?

That's the HTTP server I use.

Quote:

On the certificate file, is you cert file (on port 5222 or 5280) the default certfile server.pem that comes with ejabberd installation or have you create a new one?

I use the same cert on both ports. I created it self-signed some time ago, or maybe it was just the self-signed created some time ago by the binary installer, or by the Debian ejabberd package.

Quote:

I tried FireFox (3.5) as well as Chrome (3.0) and all browsers are requesting a certificate from the client

Strange, in my case they don't request anything.

Syndicate content