Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Client Certificate Authentication (suggested feature)

See original GitHub issue

It would be nice if your app could support Client Certificate Authentication feature…

Right now with an xmpp server that enforce CCA, it does not work (because its not implemented) and output the current this error message: Encounter problem during XMPP Connection: Handshake failed


Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:6 (4 by maintainers)

github_iconTop GitHub Comments

cmeng-gitcommented, Mar 1, 2020

My test server is based on ejabberd community edition. From online info, it seems that client TLS authentication is not being offered on this edition. I am also unable to find any document on the setup, hence unable to perform the full client to server testing.

intikacommented, Mar 1, 2020

aTalk has implemented the Client Certificate Authentication; but unable to proceed to perform the final system test between the client and server.

i saw that, great first base… currently my production server is on a lan… i did not had the time to setup a wan testing vm, i’ll close this issue and reopen it later on, when i’ll be working on this… probably with a PR directly as i am maintaining and willing either to switch to atalk or implement call/video to that “fork”…

But any way the config is a simple minimalist one, it’s just prosody (how-to) with client certificate enabled with the following config (prosody.cfg.lua):

admins = { "admin@" }

data_path = "/prosody/data"
pidfile = "/tmp/"

local_interfaces = { "" } -- default telnet interface (used if console is unset)
console_interfaces = { "" } -- default telnet interface

c2s_interfaces = { "" }
c2s_ports = { "5522" }

-- ------------------------------------------------------------------------------------------------------------------

ssl = { 
        key = "/certs/";
        certificate = "/certs/";
        dhparam = { "/dhparam/dhparam.pem" };
        cafile = { "/client-cert/ca.crt" };
        protocol = "tlsv1_2";
        verifyext = {};
        verify = { "peer", "client_once", "fail_if_no_peer_cert" }; -- allow only if ca client succeed (restrictive)
--      verify = { "peer", "client_once" }; -- default verify the peer’s certificate... 
        option = { "no_ticket", "no_compression", "cipher_server_preference", "single_dh_use", "single_ecdh_use" };

-- ------------------------------------------------------------------------------------------------------------------

modules_enabled = {
-- Generally required
  "roster"; -- Allow users to have a roster. Recommended ;) (friend list)
  "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
  "tls"; -- Add support for secure TLS on c2s/s2s connections
  "disco"; -- Service discovery clients can discover services and features available on the server
  "presence"; -- This is an autoloaded module that allows users to send status notifications such as whether they are available to talk or do not wish to be disturbed.

-- Not essential, but recommended
  "pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
  "vcard4"; -- User profiles (stored in PEP)
  "vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard

-- Nice to have
  "csi"; -- XEP-0352: a way for mobile clients to tell the server that they are sitting in someones pocket...
  "csi_simple"; -- Simple Mobile optimizations (require csi)
  "offline"; -- Store offline messages (offline delete message after delivery ;))

-- Others 
  --"smacks"; -- Sessions management, avoid disconnect and handle hibernation...

-- Security
  "watchregistrations"; -- Alert admins of registrations with registration_watchers     { } or admin...
  "log_sasl_mech"; -- Log used sasl mechanism
  "log_auth"; -- Log failed auth. 

-- Other features 
  "lastactivity"; -- Enable mod_lastactivity (permit to querry when a user was last active... atalk implement it but not pixart :()
  "strict_https"; -- Redirect all http to https with 301

-- ------------------------------------------------------------------------------------------------------------------

-- Some module are loaded by default if not denied here
modules_disabled = {

-- ------------------------------------------------------------------------------------------------------------------

allow_registration = true
authentication = "internal_hashed" -- password hashed instead of plain text

-- ------------------------------------------------------------------------------------------------------------------

-- mod_watchregistrations
registration_watchers = { "admin@" } -- otherwise the admin list is used
registration_notification = "User $username just registered on $host from $ip"

-- ------------------------------------------------------------------------------------------------------------------

-- mod_saslauth and mod_tls
s2s_require_encryption = true
s2s_secure_auth = true
c2s_require_encryption = true
allow_unencrypted_plain_auth = false

-- ------------------------------------------------------------------------------------------------------------------

log = {
	info = "prosody.log"; -- can be info or debug
	error = "prosody.err";

-- ------------------------------------------------------------------------------------------------------------------

certificates = "certs"
VirtualHost ""

The client certificate ca.crt had been generated as this guide explain

Other config may be used with client ca as authentication system instead of password (this should not impact the implementation)

Read more comments on GitHub >

github_iconTop Results From Across the Web

Client Authentication Certificate 101: How to Simplify Access ...
Certificate-based authentication allows users to log in to various systems without typing in a traditional username and password. Instead, the ...
Read more >
7 Best Practices for Certificate-Based Authentication - Teleport
Certificate-Based Authentication Best Practices · Forged certificates exploiting weak hashing algorithms · Reuse of stolen certificates ...
Read more >
Client Certificate Mapping Authentication ... - Microsoft Learn
Specifies whether Client Certificate Mapping authentication using Active Directory is enabled. For this setting to take effect, you must set ...
Read more >
X.509 Client Certificate Authentication Schemes - TechDocs
Certificate authentication uses SSL communication and can be combined with basic authentication to provide an even higher level of access security.
Read more >
Authentication using HTTPS client certificates - Medium
In this post, we implement a simple Node. js example which uses client certificates to authenticate the user.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found