ejabberd and SSL certs

Posted by Mike on 2012.04.1

Recently I managed to take a couple hours and finish the epic struggle of setting up an XMPP server.

For the most part I look back and I wonder what it is that took me so long to get this little project taken care of. It was a relatively easy installation and something that I am still exploring the syntax and options of.

Something that I thought I would share though is what I did with the SSL certs to get it to work. One of the things that you might not expect is that ejabberd uses a single SSL cert file.

Why does that matter?

When a client and server perform the SSL samba of love, part of the process is the exchange of the server certs and the intermediate CA certs. This is the process that allows a client to look at the server cert, the CA cert that the client should already have, and make the intermediate steps, using the intermediate CA cert, to validate the CA signed the server cert.

If you choose to use a self signed cert this process obviously may not be the same.

The quirk here is that I first had to define the SSL Cert file location in the ejabberd.cfg file:

{5222, ejabberd_c2s, [

%% If TLS is compiled in and you installed a SSL
%% certificate, specify the full path to the
%% file and uncomment this line:
{certfile, "/etc/ejabberd/mydomain.pem"}, starttls_required,

{access, c2s},
{shaper, c2s_shaper},
{max_stanza_size, 65536}

There isn’t any other place to define additional certs, including the intermediate certs or the key file. In order to be able to do this you have to combine the files: the OpenSSL private key, the signed PEM from the CA, and the intermediate CA cert from the CA (I like StartCom!)

cat /etc/pki/tls/private/mydomain.key >> /etc/ejabberd/mydomain.pem
cat /etc/pki/tls/certs/mydomain.signed.pem >> /etc/ejabberd/mydomain.pem
cat /etc/pki/tls/certs/intermidate.CA.pem >> /etc/ejabberd/mydomain.pem

Once that is done you simply need to restart the ejabberd service and you should not see any errors.

I tried to verify the connection using the following openssl command on Fedora 13:

openssl s_client -connect server.mydomain.org:5222 -starttls xmpp

For some reason it doesn’t seem to be able to actually do it (Even with the use of -starttls xmpp) so I went with a secondary plan. I launched wireshark and watched the connection to see if it was leaking things like the private key.

It doesn’t appear too.

Still I wish it wouldn’t require the use of the private key in the same file as the server and intermediate CA certs. It makes me wonder how it handles those things in the background.

Anyways, I hope this helps.

- Mike

Useful pages:

* Installing the StartCom SSL certificate in ejabberd — http://hyperstruct.net/2007/06/20/installing-the-startcom-ssl-certificate-in-ejabberd/
* ejabberd — http://www.process-one.net/en/ejabberd
* StartCom Free SSL Certificate Authority — http://cert.startcom.org/

7 Responses to ejabberd and SSL certs

  1. daniel

    nice article :)

  2. ninjix

    Thanks for posting this howto. You saved me an hour of testing.

  3. Ravindranath Akila

    You do samba? ;-)

  4. Ravindranath Akila

    I might Mike :-)
    Just noticed you had replied. I landed here while Googling my name :D
    Do make a post on Samba! I’ll be sure to ask some questions!

  5. Ravindranath Akila

    I wish I couldn’t get some of those dancing on the first video! Why oh why do they have to just stand upright for such cool music!

  6. Ravindranath Akila

    I’m getting good at my math. Screw spam! This time it is to correct my tiping mistake of *couldn’t to *could

Leave a Reply

Your email address will not be published. Required fields are marked *


four + 1 =

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Speaking at UTOSC 2012 Member of The Internet Defense League