Project

General

Profile

Client Certificate generation, CRL/OCSP

Dean E
Added over 4 years ago

http://www.tigase.org/content/configuration-sasl-external talks about how to configure Tigase to allow clients to authenticate with certificates. I am looking to set this up but are having trouble with generating client certificates that work for this. Is there a how-to or walkthrough available to generate the proper CA and client certificates so that this works?

Also, two other questions:

  1. How to I force Tigase to require client certificates for XMPP connections?

  2. Will Tigase do CRL or OCSP checking on the client certificates presented?

Thanks,

Dean


Replies (2)

Avatar?id=6098&size=32x32

Added by Bartosz Malkowski TigaseTeam over 4 years ago

We haven't any manual for certificates. Try to search how to make own CA with openssl.

Other responses:

  1. I understand you want to disable other mechanisms? Use this
sess-man/plugins-conf/enabled-mechanisms=EXTERNAL
  1. No.

Added by Dean E over 4 years ago

Good info, thanks.

I have made many certificates and have a test CA already. I tried using this guide http://code.google.com/p/prosody-modules/wiki/mod_client_certs, except signing with my CA rather than self-signing. That didn't work. I was looking for more info on how to set up the XmppAddr attribute of the certificate, as I think that's the part that isn't working.

Also, the Tigase documentation states "Client certificate must include user's Jabber ID as XmppAddr in subjectAltName:". Although the spec says that if there is no JID in the cert, it MAY (if Tigase was written to support it) authenticate using the CN in the certificate if a JID exists that matches the CN:

"c.If the certificate does not contain an XMPP address, then the server MAY attempt to determine if there is a registered account associated with the user, for example by performing an LDAP lookup based on the Common Name or other information presented by the client in the certificate; if such a JID mapping is successful and the mapped JID matches the authorization identity provided, then the server SHOULD allow authentication and authorization of that mapped JID."

(http://xmpp.org/extensions/xep-0178.html#c2s)

    (1-2/2)