Closed intika closed 4 years ago
cmeng-git
commented
4 years ago My home test server setup is based on ejabberd Community Edition, look it it does not support client certification authentication.
Are you able to provide a test account and the client certificate on your server for me to take a look for aTalk implementation.
intika
commented
4 years ago Yes sure i'll send you that soon, plus the related code (how conversations implement it)... it should not be too complicated to add that to atalk
cmeng-git
commented
4 years ago aTalk has implemented the Client Certificate Authentication; but unable to proceed to perform the final system test between the client and server.
Are you able to provide me with a test account and certificate on your server. You can send the info to my gmail account
cmeng-git
commented
4 years ago aTalk v2.2.0 release: Implemented: experimental as unable to perform client and sever authentication system test. See aTalk online help on how to setup.
Please try out and let me know the result.
intika
commented
4 years ago aTalk has implemented the Client Certificate Authentication; but unable to proceed to perform the final system test between the client and server.
i saw that, great first base... currently my production server is on a lan... i did not had the time to setup a wan testing vm, i'll close this issue and reopen it later on, when i'll be working on this... probably with a PR directly as i am maintaining https://github.com/Intika-Android-Apps/Libre-Messenger and willing either to switch to atalk or implement call/video to that "fork"...
But any way the config is a simple minimalist one, it's just prosody (how-to) with client certificate enabled with the following config (prosody.cfg.lua):
admins = { "admin@127.0.0.1" }
data_path = "/prosody/data"
pidfile = "/tmp/prosody.pid"
local_interfaces = { "127.0.0.1" } -- default telnet interface (used if console is unset)
console_interfaces = { "127.0.0.1" } -- default telnet interface
c2s_interfaces = { "127.0.0.1" }
c2s_ports = { "5522" }
-- ------------------------------------------------------------------------------------------------------------------
ssl = {
key = "/certs/127.0.0.1.key";
certificate = "/certs/127.0.0.1.crt";
dhparam = { "/dhparam/dhparam.pem" };
cafile = { "/client-cert/ca.crt" };
protocol = "tlsv1_2";
verifyext = {};
verify = { "peer", "client_once", "fail_if_no_peer_cert" }; -- allow only if ca client succeed (restrictive)
-- verify = { "peer", "client_once" }; -- default verify the peer’s certificate...
option = { "no_ticket", "no_compression", "cipher_server_preference", "single_dh_use", "single_ecdh_use" };
}
-- ------------------------------------------------------------------------------------------------------------------
modules_enabled = {
-- Generally required
"roster"; -- Allow users to have a roster. Recommended ;) (friend list)
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
"tls"; -- Add support for secure TLS on c2s/s2s connections
"disco"; -- Service discovery clients can discover services and features available on the server
"presence"; -- This is an autoloaded module that allows users to send status notifications such as whether they are available to talk or do not wish to be disturbed.
-- Not essential, but recommended
"pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
"vcard4"; -- User profiles (stored in PEP)
"vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard
-- Nice to have
"csi"; -- XEP-0352: a way for mobile clients to tell the server that they are sitting in someones pocket...
"csi_simple"; -- Simple Mobile optimizations (require csi)
"offline"; -- Store offline messages (offline delete message after delivery ;))
-- Others
--"smacks"; -- Sessions management, avoid disconnect and handle hibernation...
-- Security
"watchregistrations"; -- Alert admins of registrations with registration_watchers { } or admin...
"log_sasl_mech"; -- Log used sasl mechanism
"log_auth"; -- Log failed auth.
-- Other features
"lastactivity"; -- Enable mod_lastactivity (permit to querry when a user was last active... atalk implement it but not pixart :()
"strict_https"; -- Redirect all http to https with 301
}
-- ------------------------------------------------------------------------------------------------------------------
-- Some module are loaded by default if not denied here
modules_disabled = {
}
-- ------------------------------------------------------------------------------------------------------------------
allow_registration = true
authentication = "internal_hashed" -- password hashed instead of plain text
-- ------------------------------------------------------------------------------------------------------------------
-- mod_watchregistrations
registration_watchers = { "admin@127.0.0.1" } -- otherwise the admin list is used
registration_notification = "User $username just registered on $host from $ip"
-- ------------------------------------------------------------------------------------------------------------------
-- mod_saslauth and mod_tls
s2s_require_encryption = true
s2s_secure_auth = true
c2s_require_encryption = true
allow_unencrypted_plain_auth = false
-- ------------------------------------------------------------------------------------------------------------------
log = {
info = "prosody.log"; -- can be info or debug
error = "prosody.err";
}
-- ------------------------------------------------------------------------------------------------------------------
certificates = "certs"
VirtualHost "127.0.0.1"
The client certificate ca.crt had been generated as this guide explain
Other config may be used with client ca as authentication system instead of password (this should not impact the implementation)
cmeng-git
commented
4 years ago My test server is based on ejabberd community edition. From online info, it seems that client TLS authentication is not being offered on this edition. I am also unable to find any document on the setup, hence unable to perform the full client to server testing.
It would be nice if your app could support
Client Certificate Authenticationfeature...Right now with an xmpp server that enforce CCA, it does not work (because its not implemented) and output the current this error message:
Encounter problem during XMPP Connection: javax.net.ssl.SSLHandshakeException: Handshake failedThanks