How to only allow s2s connection between several servers and my tigase server

Alina Sun
Added about 3 years ago

Hello all,

I setup two tigase servers, server1 and server2. I only want to enable s2s connection between these two tigase servers.

I create a truststore for each tigase server and put the truststore into /tigase/certs. The two tigase servers can talk to each other.

// create truststore for server2

keytool -import -alias ca -file domain1.pem -keystore truststore

// create truststore for server1

keytool -import -alias ca -file domain2.pem -keystore truststore

But I find that the user on my servers can add a user on I don't have' certificate in my truststore. Why? How to fix it?

Replies (4)

Added by Wojciech Kapcia TigaseTeam about 3 years ago

Does those two tigase servers serve the same domain and are basically a cluster (two nodes of the same service)? If yes, then clustering is done on different port and it doesn't use S2S component in which case you can disable XMPP Federation (i.e. s2s connectivity) with following entry to the @etc/


If those are different servers serving different domains then you can utilize Packet Filtering and configure it to WHITELIST only your domains.

Added by Alina Sun about 3 years ago

These two servers are in different domains and run by different companies. They are not in cluster.

I am just confused. According to my understanding, server A can create a s2s connection with server B only if :

Sever A installs server B's certificate into Server A's truststore and

Server B installs server A's certificate into Server B's trustsore.

The current situation is:

Server C's certification is not in server A's truststore and Server A's certificate is not in server C's truststore. Server A and server C are in different domain and run by different companies. But the user of server A can add the user on server C to contact and chat with each other.

Server A and server B are our internal server and we don't want sever A or server B create s2s connection with some other XMPP servers. But server A and server B can create s2s connection between them.

What should I do to make it happen? Packet Filtering does not seem to be the best choice.

Added by Wojciech Kapcia TigaseTeam about 3 years ago

Currently, in case of federated connections, Tigase doesn't diconnect connection in case of self-signed or otherwise untrusted certificates and fallback to the Server Dialback for identity verification.

Added by Alina Sun about 3 years ago

Ah... Got it. Thank you, Wojciech.

Best regards,

Alina Sun