Getting SSL Certificate Chain from Jabber Server

sslxmpp

trying to connect my jabber client (pidgin) to a jabber server with self signed certificate, I am getting an "unable to validate certificate" error.

As it is not possible to tell the client not to validate the chain, I would like to get the certificate chain in order to import it there. Therefore I use:

openssl s_client -connect my.jabber.server.net:5222 </dev/null

I am getting the following answer:

openssl s_client -connect cup1.sprachdienst.fraunhofer.de:5222

> CONNECTED(00000003) 140472458057376:error:140790E5:SSL
> routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
> --- no peer certificate available
> --- No client certificate CA names sent
> --- SSL handshake has read 0 bytes and written 213 bytes
> --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE
> ---

Why don't I get the certificate chain while my jabber client does?

Best Answer

The solution is: Jabber requires starttls:

openssl s_client -connect my.jabber.server.net:5222 </dev/null -starttls xmpp

returns the certificate

Related Solutions

Apache – Forward Client x509 Certificate to Tomcat via mod_proxy

Apache is generating a brand new SSL session for the connection to the backend tomcat server, so the client certificate data isn't passed; the system with the cert isn't the client anymore.

If you're ok with an unencrypted connection between Apache and the Tomcat device, then using an AJP proxy connection (ProxyPass / ajp://x.x.x.x:8009/) instead of SSL, and adding an SSLOptions +ExportCertData directive in Apache, should pass the certificate data to Tomcat. There more info on passing certificate information here.

SSL Error: self signed certificate in certificate chain

You don't need the root certificate in the chain (though I don't believe having it hurts anything).

That error is more of a warning from openssl in this case I think. I believe what it means is just that openssl doesn't know that it should trust the root certificate of that chain. If you pull out just the root certificate from that bundle and point that openssl command at it with the -CAfile argument I expect that "error" should go away.

Inside the sf_bundle.crt file you should see two

-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----

blocks (possibly with plain text above each block showing what certificate the block contains). If you split each of those blocks into its own file so you end up with block1.crt and block2.crt you should be able to run openssl x509 -noout -subject -in <file.crt> on each of them to get their respective certificate subject lines.

Assuming that block2.crt has a subject line of /C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority you should then be able to run openssl s_client -CAfile block2.crt -connect imap.domain.ltd:465 and that should, hopefully, connect without giving you the self-signed certificate error.

Best Answer

Related Solutions

Apache – Forward Client x509 Certificate to Tomcat via mod_proxy

SSL Error: self signed certificate in certificate chain

Related Topic