Project

General

Profile

Tigase BOSH Secure Connections

Prashanth Raghu
Added about 4 years ago

Hi,

I am trying to create a secure connection to tigase by using the following configuration in my init.properties:

bosh/connections/ports[i]=5280, 5281

bosh/connections/5281/socket[S]=ssl

bosh/connections/5281/type[S]=accept

Is there any further information required in the configuration ?

Regards,

Prashanth


Replies (21)

Added by Khaleel Shaik about 4 years ago

Hi,

I am also looking for the same, Is this configuration is enough?

bosh/connections/ports=5280, 5281

bosh/connections/5281/socket=ssl

bosh/connections/5281/type=accept

Regards,

Khaleel

Added by Wojciech Kapcia TigaseTeam about 4 years ago

Yes, this is enough.

Added by Khaleel Shaik about 4 years ago

Hi Wojciech,

Do we need to have the [i] and [S] at the end of the property names

bosh/connections/ports[i]=5280, 5281

or

bosh/connections/ports=5280, 5281

Regards

Khaleel

Added by Prashanth Raghu about 4 years ago

Hi,

@Khaleel: [s] ,[i] and [b] imply string, integer and boolean types of data.

@Wojciech: I did try to connect to the server using Strophe.js as the client side javascript library.

I have attached the following for better understanding of my configuration and logs:

  1. Screenshot of the error from the browser while attempting connection.

  2. tigase-console.log

  3. etc/init.properties

  4. tigase.log.0

Regards,

Prashanth

Added by Wojciech Kapcia TigaseTeam about 4 years ago

The main question is - where do you place your certificate? For xmpp legacy socket connection and ssl bosh you need to place it in @certs/default.pem@. From provided logs it looks like you are using only this file.

Can you verify, that correct certificate is being served by Tigase?

openssl s_client -connect localhost:5280

Added by Prashanth Raghu about 4 years ago

Hi Wojciech,

I have verified the following ssl handshake.

I am still getting the same error as before. Should I also add the certificate into the trusted certificates list in my browser ?

Attached is the screenshot of the same.

Regards,

Prashanth

Added by Wojciech Kapcia TigaseTeam about 4 years ago

Basically you are using a self-signed certificate therefore there is warning in the browser - you can either add it to trusted or obtain certificate from trusted CA.

Added by Prashanth Raghu about 4 years ago

Thanks a lot Wojciech.

Works perfectly :)

Added by Khaleel Shaik about 4 years ago

Hi Wojciech Kapcia,

I have the similar issue. when I try to do the

[ec2-user@ip-10-146-138-237 certs]$ openssl s_client -connect chat.my-doc.com:5281

CONNECTED(00000003)

140103216277320:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:


no peer certificate available


No client certificate CA names sent


SSL handshake has read 0 bytes and written 247 bytes


New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE


When I check ed the certificates in the certs folder there are already Tigase server created PEM file. why I am not able to make the handshake?

[ec2-user@ip-10-146-138-237 certs]$ ls

54.251.87.63.pem 54.255.71.55.pem chat.my-doc.com.pem rsa-keystore truststore

Any suggestion is helpful. How can I generate a new certificate from Tigase server to my domain name chat.my-doc.com ?

Regards

Khaleel

Added by Khaleel Shaik about 4 years ago

Hi When I do the below command, I can see the CA certificate properly. But the port is 443, Do I need to set my BOSH SSH port to 443 instead of 5281?

*[ec2-user@ip-10-146-138-237 certs]$ openssl s_client -tls1 -connect chat.my-doc.com:443
*CONNECTED(00000003)
depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify return:1
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = *.my-doc.com
verify return:1

Certificate chain
 0 s:/OU=Domain Control Validated/CN=*.my-doc.com
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
 1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
 2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
 3 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority

Server certificate
-----BEGIN CERTIFICATE-----
MIIFHTCCBAWgAwIBAgIHBHsWbM77qTANBgkqhkiG9w0BAQsFADCBtDELMAkGA1UE
BhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAY
BgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMS0wKwYDVQQLEyRodHRwOi8vY2VydHMu
jC30bymnByOPbeOKOayT39VKTU+0dSBMw/FGFON8mzkGIMqGWaKS5FEj4RAsAQ1
I0rY1E9aXjg4YNxhO24z6OXsdRgUKDH16+vM4dnTdNlHN50qlbdwQOi3PEQbq086
W410XCD+2psLCdCSH9AY6Fk+8MB8JiLWJaWEgJ+1zIYlot9NlydOFsjtluxb18C4
jp7Cy1vvlcmiCu/KwKh+Ll4ExL+SmsiUGahNxqekJmoCpyt7XgCj3ioc4ODzd9pR
VE9wo6ZmvpEV2AWqkMsmX6A=
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=*.my-doc.com
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 5404 bytes and written 289 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: 98870E2AE5ED5786738A33AF4EF98ACD30345D645BD7D36A1593B89231213BB8
    Session-ID-ctx:
    Master-Key: 408D64E94E6F568AF3BW2342342K3J42L3J425F82BD96E6587228205483SDFADFASDFASAAAAAA
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - ee 73 b0 6e f7 e9 5b 28-2c 74 a3 2e 8f 8b 2a 3a   .s.n..[(,t....*:
    0010 - 07 19 40 79 8f 7e a7 18-86 7f 1f 24 ff a3 9c 7b   ..@..~.....$...{
    0020 - 94 4e 1a td bf a9 e1 82-e2 ff b8 5b 6c 5c f9 43   .N.........[l\.C
    0090 - ab 33 62 ca a0 92 88 4d-09 02 10 09 fa 4d 3e 36   .3b....M.....M>6

    Start Time: 1414519873
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)

Any clues please.

Regards

Khaleel

Added by Wojciech Kapcia TigaseTeam about 4 years ago

Khaleel Shaik wrote:

Hi When I do the below command, I can see the CA certificate properly. But the port is 443, Do I need to set my BOSH SSH port to 443 instead of 5281?

If you configured Tigase to listen for ssl bosh connections on 5281 then you have to connect to this port. If you tried 443 then you connected to something different

Added by Khaleel Shaik about 4 years ago

Hi,

Thanks for the reply.

I have configured below three parameters in init properties file

bosh/connections/ports=5280, 5281

bosh/connections/5281/socket=ssl

bosh/connections/5281/type=accept

but the response when I try to connect from the client is over the BOSH is handshake failure.

And even the openssl s_client command says no certificates found. I have copied the CA certificate in the certs folder.

Why this certificate is not being used by BOSH and enabling the SSL connectivity?

How I can generate a new self signed certificate by Tigase server itself, so that I can replace the new certificate?

Regards

Khaleel

Added by Wojciech Kapcia TigaseTeam about 4 years ago

Khaleel Shaik wrote:

Why this certificate is not being used by BOSH and enabling the SSL connectivity?

Where have you copied the certificate? What is the filename? Are there any exceptions in the logs (@logs/tigase-console.log@) when loading the certificate?

How I can generate a new self signed certificate by Tigase server itself, so that I can replace the new certificate?

Tigase should generate self-signed certificate on it's own.

Added by Khaleel Shaik about 4 years ago

Hi,

My observations are:

  1. When the Tigase server is down then get error response to the command " openssl s_client -connect 54.255.71.55:5281" below

              socket: Connection refused
    
            connect:errno=111
    
  2. When the Tigase server is up then I get the below response to the above command, so I guess the PORT is open and functioning well.

CONNECTED(00000003)

140349342308168:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:


no peer certificate available


No client certificate CA names sent


SSL handshake has read 0 bytes and written 247 bytes


New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE


  1. I have deleted all the .pem files and restarted the server, then I try to connect from Pidgin client with a user over the normal socket connection on 5222 port, user connected successfully. and a certificate with my domain ip pem (54.255.71.55.pem) generated.

  2. Now if I try to connect from Pidgin tool using the BOSH URL "https://54.255.71.55:5281/http-bind" then the response is SSL Handshake is failed error.

Log files are attached.

Could you please help what could be the issue.

Regards

Khaleel

Added by Wojciech Kapcia TigaseTeam about 4 years ago

Hasn't certs/default.pem been generated after bosh connection? Please try to copy 54.255.71.55.pem to default.pem@, restart the server and try again with @openssl

Added by Khaleel Shaik about 4 years ago

Hi,

I have copied the 54.255.71.55.pem to default.pem and the stopped the server and restarted. Still I am getting SSL Handshak fail error.

When I do the openssl s_client -connect 54.255.71.55:5281 , I am getting below response.

CONNECTED(00000003)

139994109458248:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:


no peer certificate available


No client certificate CA names sent


SSL handshake has read 0 bytes and written 247 bytes


New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

Regards

Khaleel

Added by Wojciech Kapcia TigaseTeam about 4 years ago

Can you check that Tigase is in fact listening on 5281 port? Make sure there are no spaces in the configuration, that is:

bosh/connections/ports=5280,5281

Added by Khaleel Shaik about 4 years ago

Hi

I have the properties mentioned with preceding -- characters as shown below, no spaces exists

--bosh-ports=5280,5281

--bosh/connections/5281/socket=ssl

--bosh/connections/5281/type=accept

I have removed the -- at the beginning to the above three parameters and restarted the server.

Now the openssl is not opening any connection, I am getting below error

[ec2-user@ip-10-146-138-237 certs]$ openssl s_client -connect 54.255.71.55:5281

socket: Connection refused

connect:errno=111

Regards

Khaleel

Added by Khaleel Shaik about 4 years ago

Hi,

I have changed the

bosh-ports=5280,5281

to

bosh/connections/ports=5280,5281

then restarted the server, still I am getting the Connection refused error. Even on the Pidgin client instead of SSL Handshake error, now I am getting SSL Connection failed error.

So I am reverting back the properties as shown below No [i],[s] types mentioned at the error, can you please verify these parameters if any mistake is there?

--bosh-ports=5280,5281

--bosh/connections/5281/socket=ssl

--bosh/connections/5281/type=accept

Regards

Khaleel

Added by Wojciech Kapcia TigaseTeam about 4 years ago

This is the proper configuration:

--bosh-ports=5280,5281
bosh/connections/5281/socket=ssl
bosh/connections/5281/type=accept

First line will be used as general system property (hence double dash prefix: "--"), second and third lines are component configuration and therefore they are not prefixed with dashes.

Added by Khaleel Shaik about 4 years ago

Hi Wojciech Kapcia,

Your help is great. Now the openssl s_client -connect 54.255.71.55:5281 perfectly hand shakes with self signed certificates.

Now Pidgin Client is also connected successfully

THANKS A TON !!!

Regards

Khaleel

    (1-21/21)