Project

General

Profile

Wildcard SSL Cert

Balakumar M
Added about 3 years ago

Is tigase support wildcard ssl cert? Like *.tigase.org. Thx.

When I connect with PSI client, getting invalid signature error. My tigase domain is different from DNS domain name and tried setting --ssl-def-cert-domain in all combinations.


Replies (10)

Added by Wojciech Kapcia TigaseTeam about 3 years ago

Tigase supports wildcard certificates but you have to either put them in the filename matching VHohst (domain) or configure wildcard VHost in @etc/init.properties@:

basic-conf/virt-hosts-cert-*.tigase.org=/home/tigase/tigase-server/certs/tigase.org.pem

Added by Balakumar M about 3 years ago

Thanks for the reply. SSL report shows lot of vulnerabilities like,

This server supports insecure Diffie-Hellman (DH) key exchange parameters (Logjam). Grade set to F.

*This server uses RC4 with modern protocols. Grade capped to C.

The server does not support Forward Secrecy with the reference browsers.*

Can you advice how to disable weak Cipher Suites, support forward secrecy, use a 2048-bit Diffie-Hellman.

Thanks.

Added by Wojciech Kapcia TigaseTeam about 3 years ago

--hardened-mode :

Enabling hardened mode affects handling of security aspects within Tigase. It turns off workarounds for SSL issues, turns off SSLv2 and forces enabling more secure ciphers suites. It also forces requirement of StartTLS.

Enabling it requires UnlimitedJCEPolicyJDK installed. We prefer to use OracleJDK as our tests revealed that using OpenJDK in hardened mode may cause issues with some clients on some platforms.

Added by Balakumar M about 3 years ago

Thanks. --hardened-mode solve RC4 issue, but report still shows server supports insecure Diffie-Hellman (DH) key exchange parameters (Logjam)

Anything I can do about this?

Added by Wojciech Kapcia TigaseTeam about 3 years ago

Which test-tool do you use? We base ours on XMPP Observatory: https://xmpp.net/result.php?domain=tigase.org&type=client

Avatar?id=6098&size=32x32

Added by Bartosz Małkowski TigaseTeam about 3 years ago

If you're talking about #3670, then is is fixed already.

Added by Balakumar M about 3 years ago

yes #3670, unfortunately jdk.tls.ephemeralDHKeySize is not available in oracle jdk7u79. I am using tigase 7.0.0.

Added by Balakumar M about 3 years ago

I managed to get jdk7u85 to address this issue. Thanks.

My PSI client is still showing Invalid Signature issue. Below is my init properties config,

--virt-hosts = dev.mycompany.net

--ssl-def-cert-domain = dev.mycompany.net

--vhost-tls-required = true

basic-conf/virt-hosts-cert-*.mycompany.net = /opt/tigase-7.0.0/certs/mycompany.net.pem

PEM file contains wildcard ssl cert*, private key, GlobalSign Organization Validation CA - SHA256 - G2 cert, *GlobalSign Root CA - in the same order.

Anything wrong in my configuration? I am connecting to port 5222.

Added by Wojciech Kapcia TigaseTeam about 3 years ago

bala kumar wrote:

yes #3670, unfortunately jdk.tls.ephemeralDHKeySize is not available in oracle jdk7u79. I am using tigase 7.0.0.

In general we recommend using Java8 (it's required for Tigase 7.1.x).

Have you tried other clients or testing the server against available test tools? It's possible that this is Psi issue.

Added by Balakumar M about 3 years ago

You may be right on Psi issue, we can connect with SWIFT xmpp client and it shows cert is valid. We will try to connect with our client and see. Thanks.

    (1-10/10)