| | 1 | Openfire is the only open source XMPP server (that I know of) that supports |
| | 2 | client-side certificate authentication. This will explain how to setup |
| | 3 | Openfire and Pidgin to using client-side certificate authentication. |
| | 4 | |
| | 5 | |
| | 6 | = Create Certificates = |
| | 7 | |
| | 8 | 1. You will need to create a test certificate authority. A number of web sites have how-tos on creating a certificate authority for testing. |
| | 9 | |
| | 10 | * Using a nice GUI interface: |
| | 11 | http://www.gria.org/documentation/5.3/how-tos/certificate-authority-signing-information |
| | 12 | |
| | 13 | * Using the OpenSSL CA tools: |
| | 14 | http://www.debian-administration.org/articles/618 |
| | 15 | |
| | 16 | Create a certificate/key pair for each user. |
| | 17 | |
| | 18 | ** The certificate's COMMON NAME must match the XMPP login name ** |
| | 19 | |
| | 20 | |
| | 21 | 2. Create a PKCS12 file containing the certificate/key pair. The files need to be in PEM (text) format for openssl and not DER (binary). |
| | 22 | |
| | 23 | * To convert a certificate to PEM format: |
| | 24 | openssl x509 -inform der -in DER_CERT_FILE -outform pem PEM_CERT_FILE |
| | 25 | |
| | 26 | * To convert a key to PEM format: |
| | 27 | openssl pkey -inform der -in DER_KEY_FILE -outform pem PEM_KEY_FILE |
| | 28 | |
| | 29 | * To create the PKCS12 file: |
| | 30 | openssl pkcs12 -export -inkey KEYFILE -in CERTFILE -out USER.p12 -name USER |
| | 31 | |
| | 32 | |
| | 33 | = Setting Up Openfire = |
| | 34 | |
| | 35 | 1. Download, install, and setup Openfire: |
| | 36 | http://www.igniterealtime.org/projects/openfire/index.jsp |
| | 37 | http://www.igniterealtime.org/builds/openfire/docs/latest/documentation/install-guide.html |
| | 38 | |
| | 39 | 2. Openfire maintains several key stores in /etc/openfire/security. We are interested in client.truststore which contains the certificates trusted to authenticate users. We can place a certificate authority certificate in the key store and any certificates signed by the authority will be accepted for login to the server. |
| | 40 | |
| | 41 | To add a certificate: |
| | 42 | keytool -importcert -keystore /etc/openfire/security/client.truststore -alias NAME -file CERTFILE |
| | 43 | |
| | 44 | The default password is "changeit" |
| | 45 | |
| | 46 | Be sure to say yes to "Trust this certificate?". |
| | 47 | |
| | 48 | 3. Login to you Openfire server on http://server:9090 and go to Server->Server Manager->System Properties. Ensure the following properties exist and are set: |
| | 49 | |
| | 50 | ||= Property =||= Value =|| |
| | 51 | || xmpp.client.cert.policy || "needed" or "wanted" || |
| | 52 | || xmpp.client.certificate.accept-selfsigned || true || |
| | 53 | || xmpp.client.certificate.verify || true || |
| | 54 | || xmpp.client.certificate.verify.chain || true || |
| | 55 | || xmpp.client.certificate.verify.root || true || |
| | 56 | || sasl.mechs || EXTERNAL (plus whatever else) || |
| | 57 | |
| | 58 | More properties can be found here: |
| | 59 | http://community.igniterealtime.org/thread/45670 |
| | 60 | http://community.igniterealtime.org/thread/37967 |
| | 61 | |
| | 62 | 4. Add a user with the same username as the common name of the certificate you created above in Users/Groups->Users->Create New User. |
| | 63 | |
| | 64 | = Build Pidgin with Client Certificate Authentication = |
| | 65 | |
| | 66 | 1. Pull the im.pidgin.cpw.ljfisher.ssl_client_auth branch from the pidgin monotone repository. |
| | 67 | |
| | 68 | 2. Ensure the following prerequisites are installed: |
| | 69 | * gnutls 2.10 + Older versions will work but exporting certificates and keys will fail |
| | 70 | * Cyrus SASL |
| | 71 | |
| | 72 | 3. Configure Pidgin with these options: |
| | 73 | ./configure --enable-cyrus-sasl --enable-gnutls=yes |
| | 74 | |
| | 75 | 4. Build and install Pidgin: |
| | 76 | make install |
| | 77 | |
| | 78 | = Configure Pidgin = |
| | 79 | |
| | 80 | 1. Open Tools -> Certificates -> Your Certificatesw. Select Add. Select the PKCS12 file, USER.p12, created above. Enter a passwords and name. |
| | 81 | |
| | 82 | 2. Create a XMPP (Jabber) account. |
| | 83 | |
| | 84 | On the Basic tab: |
| | 85 | a. Enter a username same as the commone name in the certificate |
| | 86 | |
| | 87 | On the Advanced tab: |
| | 88 | a. Select Connection Security: Use old-sylte SSL |
| | 89 | b. Select Login certificate: the cert you added above |
| | 90 | c. Change connection port to 5223. |
| | 91 | |
| | 92 | Openfire doesn't seem to play well with client authentication using starttls so we use regular SSL which uses port 5223. |
| | 93 | |
| | 94 | 3. Enable the account and it should login. |
| | 95 | |
| | 96 | |
| | 97 | = Troubleshooting = |
| | 98 | |
| | 99 | == You get SSL Handshake failed messages == |
| | 100 | |
| | 101 | a. Check that /etc/openfire/security/client.truststore is readable by openfire user. |
| | 102 | b. Check that the certificate authority's certificate has been added to /etc/openfire/security/client.truststore and has been trusted: |
| | 103 | keytool -list -keystore /etc/openfire/security/client.truststore |
| | 104 | c. Check that the user name matches the common name of the login certificate. |
| | 105 | |
| | 106 | == You get a password dialog when trying to login even though you selected a login certificate == |
| | 107 | |
| | 108 | a. Check that EXTERNAL has been added to the sasl.mechs Openfire server property. |
| | 109 | b. Check that the user name matches the common name of the login certificate. |
| | 110 | c. Check that there is an account for the user on the Openfire server |
| | 111 | |
| | 112 | |
| | 113 | == Bug Reports == |
| | 114 | |
| | 115 | If you cannot resolve the issue send a capture of the Pidgin debug output by running Pidgin with debug and GNUTLS debug enabled: |
| | 116 | PURPLE_GNUTLS_DEBUG=9 pidgin -d > pidgin.dbg |
| | 117 | |
| | 118 | And capture the login using Wireshark and send a pcap. |
