Recently I managed to take a couple hours and finish the epic struggle of setting up an XMPP server.
For the most part I look back and I wonder what it is that took me so long to get this little project taken care of. It was a relatively easy installation and something that I am still exploring the syntax and options of.
Something that I thought I would share though is what I did with the SSL certs to get it to work. One of the things that you might not expect is that ejabberd uses a single SSL cert file.
Why does that matter?
When a client and server perform the SSL samba of love, part of the process is the exchange of the server certs and the intermediate CA certs. This is the process that allows a client to look at the server cert, the CA cert that the client should already have, and make the intermediate steps, using the intermediate CA cert, to validate the CA signed the server cert.
If you choose to use a self signed cert this process obviously may not be the same.
The quirk here is that I first had to define the SSL Cert file location in the ejabberd.cfg file:
{5222, ejabberd_c2s, [
%%
%% If TLS is compiled in and you installed a SSL
%% certificate, specify the full path to the
%% file and uncomment this line:
%%
{certfile, "/etc/ejabberd/mydomain.pem"}, starttls_required,{access, c2s},
{shaper, c2s_shaper},
{max_stanza_size, 65536}
]}
There isn’t any other place to define additional certs, including the intermediate certs or the key file. In order to be able to do this you have to combine the files: the OpenSSL private key, the signed PEM from the CA, and the intermediate CA cert from the CA (I like StartCom!)
cat /etc/pki/tls/private/mydomain.key >> /etc/ejabberd/mydomain.pem cat /etc/pki/tls/certs/mydomain.signed.pem >> /etc/ejabberd/mydomain.pem cat /etc/pki/tls/certs/intermidate.CA.pem >> /etc/ejabberd/mydomain.pem
Once that is done you simply need to restart the ejabberd service and you should not see any errors.
I tried to verify the connection using the following openssl command on Fedora 13:
openssl s_client -connect server.mydomain.org:5222 -starttls xmpp
For some reason it doesn’t seem to be able to actually do it (Even with the use of -starttls xmpp) so I went with a secondary plan. I launched wireshark and watched the connection to see if it was leaking things like the private key.
It doesn’t appear too.
Still I wish it wouldn’t require the use of the private key in the same file as the server and intermediate CA certs. It makes me wonder how it handles those things in the background.
Anyways, I hope this helps.
- Mike
Useful pages:
* Installing the StartCom SSL certificate in ejabberd — http://hyperstruct.net/2007/06/20/installing-the-startcom-ssl-certificate-in-ejabberd/
* ejabberd — http://www.process-one.net/en/ejabberd
* StartCom Free SSL Certificate Authority — http://cert.startcom.org/
nice article :)
Thanks for posting this howto. You saved me an hour of testing.
You do samba? ;-)
While I don’t have any posts on the topic, I do on occasion bust out some Samba.
Do you have a question on Samba or a suggestion for a blog post on Samba?
And now for some Samba:
http://www.youtube.com/watch?v=h_GBvHO7E2o
http://www.youtube.com/watch?v=RiFyoMWiRO0
http://www.youtube.com/watch?v=3RrDAI7tFzU
http://www.youtube.com/watch?v=ITsKmGfiStY
Alright, the last one isn’t samba. But I just love The Girl From Ipanema. :)
I might Mike :-)
Just noticed you had replied. I landed here while Googling my name :D
Do make a post on Samba! I’ll be sure to ask some questions!
I wish I couldn’t get some of those dancing on the first video! Why oh why do they have to just stand upright for such cool music!
I’m getting good at my math. Screw spam! This time it is to correct my tiping mistake of *couldn’t to *could