The Adams Residence

Travelouge for a Shiny Distracted Techie
April 1, 2012

ejabberd and SSL certs

Recently I managed to take a couple hours and finish the epic struggle of setting up an XMPP server.

For the most part I look back and I wonder what it is that took me so long to get this little project taken care of. It was a relatively easy installation and something that I am still exploring the syntax and options of.

Something that I thought I would share though is what I did with the SSL certs to get it to work. One of the things that you might not expect is that ejabberd uses a single SSL cert file.

Why does that matter?

When a client and server perform the SSL samba of love, part of the process is the exchange of the server certs and the intermediate CA certs. This is the process that allows a client to look at the server cert, the CA cert that the client should already have, and make the intermediate steps, using the intermediate CA cert, to validate the CA signed the server cert.

If you choose to use a self signed cert this process obviously may not be the same.

The quirk here is that I first had to define the SSL Cert file location in the ejabberd.cfg file:

{5222, ejabberd_c2s, [

%% If TLS is compiled in and you installed a SSL
%% certificate, specify the full path to the
%% file and uncomment this line:
{certfile, "/etc/ejabberd/mydomain.pem"}, starttls_required,

{access, c2s},
{shaper, c2s_shaper},
{max_stanza_size, 65536}

There isn’t any other place to define additional certs, including the intermediate certs or the key file. In order to be able to do this you have to combine the files: the OpenSSL private key, the signed PEM from the CA, and the intermediate CA cert from the CA (I like StartCom!)

cat /etc/pki/tls/private/mydomain.key >> /etc/ejabberd/mydomain.pem
cat /etc/pki/tls/certs/mydomain.signed.pem >> /etc/ejabberd/mydomain.pem
cat /etc/pki/tls/certs/intermidate.CA.pem >> /etc/ejabberd/mydomain.pem

Once that is done you simply need to restart the ejabberd service and you should not see any errors.

I tried to verify the connection using the following openssl command on Fedora 13:

openssl s_client -connect -starttls xmpp

For some reason it doesn’t seem to be able to actually do it (Even with the use of -starttls xmpp) so I went with a secondary plan. I launched wireshark and watched the connection to see if it was leaking things like the private key.

It doesn’t appear too.

Still I wish it wouldn’t require the use of the private key in the same file as the server and intermediate CA certs. It makes me wonder how it handles those things in the background.

Anyways, I hope this helps.

- Mike

Useful pages:

* Installing the StartCom SSL certificate in ejabberd —
* ejabberd —
* StartCom Free SSL Certificate Authority —

7 Comments to “ejabberd and SSL certs”

Leave a Comment

7 − two =

Switch to our desktop site