search

esl / MongooseIM

MongooseIM is Erlang Solutions' robust, scalable and efficient XMPP server, aimed at large installations. Specifically designed for enterprise purposes, it is fault-tolerant and can utilise the resources of multiple clustered machines.
Other
1.67k stars 427 forks source link

certificate authentication #2911

Open chrisatta opened 4 years ago

chrisatta commented 4 years ago

MongooseIM version: 3.7.0 Installed from: pkg Erlang/OTP version: (put the version)

Hello everyone, I am trying to enable authentication with c2s certificate but I am having trouble connecting to the server. I followed this documentation: https://mongooseim.readthedocs.io/en/3.7.0/authentication-methods/client-certificate/ Password auth works, but certificate auth does not works. I am using Usage example - Gajim and Generate client certificate.

this is my config:

{ 5222, ejabberd_c2s, [

        %%
        %% If TLS is compiled in and you installed a SSL
        %% certificate, specify the full path to the
        %% file and uncomment this line:
        %%
        {tls, true},
        %{certfile, "/etc/mongooseim/ca.pem"}, starttls,
        {cafile, "/etc/mongooseim/rootCA.pem"}, 
        {verify_peer, true},
        {tls_module, fast_tls},
        %{tls_module, just_tls},
        %{starttls, true},

        %%{zlib, 10000},
        %% https://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS
        {ciphers, "TLSv1.2:TLSv1.3"},
        %{ciphers, "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384"},
        {access, c2s},
        {shaper, c2s_shaper},
        {max_stanza_size, 65536}

           ]},

where rootCA.pem is obtained from cat rootCA.crt rootCA.key

{sasl_mechanisms, cyrsasl_external}.

{auth_opts, [ %% Store the plain passwords or hashed for SCRAM: %% {password_format, scram} % default %% {password_format, plain} {password_format, scram} %% {scram_iterations, 10000} % default

         %%
         %% For auth_http:
         %% {basic_auth, "user:password"}
         %% {path_prefix, "/"} % default
         %% auth_http requires {http, Host | global, auth, ..., ...} outgoing pool.
         %%
         %% For auth_external
         %% {extauth_program, "/path/to/authentication/script"}
         %%
         %% For auth_jwt
         %% {jwt_secret_source, "/path/to/file"},
         %% {jwt_algorithm, "RS256"},
         %% {jwt_username_key, user}
         %%
         %% For cyrsasl_external
         %% {authenticate_with_cn, false}
         %%{cyrsasl_external, standard}
       ,{cyrsasl_external, use_common_name}

         %%
         %% For auth_ldap
         %% {ldap_base, "dc=example,dc=com"},
         %% {ldap_filter, "(objectClass=shadowAccount)"},
         %% {ldap_uids, [{"mail", "%u@mail.example.org"}]}.

        ]}.

{auth_method, pki}.

server error: 2020-10-15 11:14:24.735 [error] <0.561.0>@cyrsasl:-listmech/1-lc$^0/1-0-:81 Supervisor ejabberd_c2s_sup had child undefined started with {ejabberd_c2s,start_link,undefined} at <0.1578.0> exit with reason no function clause matching cyrsasl:'-listmech/1-lc$^0/1-0-'(cyrsasl_external) line 81 in context child_terminated

Thanks

chrisatta commented 4 years ago

Client connection error SmackException: No supported and enabled SASL Mechanism provided by server: Server annunced mechanisms: []

chrisatta commented 4 years ago

No supported and enabled SASL Mechanism provided by server. Server announced mechanisms: [SCRAM-SHA-1, PLAIN]. Registered SASL mechanisms with Smack: [SASL Mech: SCRAM-SHA-1-PLUS, Prio: 100, SASL Mech: SCRAM-SHA-1, Prio: 110, SASL Mech: DIGEST-MD5, Prio: 210, SASL Mech: PLAIN, Prio: 410, SASL Mech: X-OAUTH2, Prio: 410, SASL Mech: ANONYMOUS, Prio: 500, SASL Mech: EXTERNAL, Prio: 510]. Enabled SASL mechanisms for this connection: [EXTERNAL]. Blacklisted SASL mechanisms: [SCRAM-SHA-1-PLUS].10

Neustradamus commented 3 years ago

@janciesla8818, @NelsonVides, @michalwski: Have you seen this ticket?

DenysGonchar commented 1 year ago

SASL EXTERNAL mechanism is filtered out if client certificate is not provided during TLS handshake