Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Client Certificate Authentication (suggested feature)

See original GitHub issue

It would be nice if your app could support Client Certificate Authentication feature…

Right now with an xmpp server that enforce CCA, it does not work (because its not implemented) and output the current this error message: Encounter problem during XMPP Connection: javax.net.ssl.SSLHandshakeException: Handshake failed

Thanks

Issue Analytics

State:
Created 4 years ago
Comments:6 (4 by maintainers)

Top GitHub Comments

1reaction

cmeng-gitcommented, Mar 1, 2020

My test server is based on ejabberd community edition. From online info, it seems that client TLS authentication is not being offered on this edition. I am also unable to find any document on the setup, hence unable to perform the full client to server testing.

0reactions

intikacommented, Mar 1, 2020

aTalk has implemented the Client Certificate Authentication; but unable to proceed to perform the final system test between the client and server.

i saw that, great first base… currently my production server is on a lan… i did not had the time to setup a wan testing vm, i’ll close this issue and reopen it later on, when i’ll be working on this… probably with a PR directly as i am maintaining https://github.com/Intika-Android-Apps/Libre-Messenger and willing either to switch to atalk or implement call/video to that “fork”…

But any way the config is a simple minimalist one, it’s just prosody (how-to) with client certificate enabled with the following config (prosody.cfg.lua):

admins = { "admin@127.0.0.1" }

data_path = "/prosody/data"
pidfile = "/tmp/prosody.pid"

local_interfaces = { "127.0.0.1" } -- default telnet interface (used if console is unset)
console_interfaces = { "127.0.0.1" } -- default telnet interface

c2s_interfaces = { "127.0.0.1" }
c2s_ports = { "5522" }

-- ------------------------------------------------------------------------------------------------------------------

ssl = { 
        key = "/certs/127.0.0.1.key";
        certificate = "/certs/127.0.0.1.crt";
        dhparam = { "/dhparam/dhparam.pem" };
        cafile = { "/client-cert/ca.crt" };
        protocol = "tlsv1_2";
        verifyext = {};
        verify = { "peer", "client_once", "fail_if_no_peer_cert" }; -- allow only if ca client succeed (restrictive)
--      verify = { "peer", "client_once" }; -- default verify the peer’s certificate... 
        option = { "no_ticket", "no_compression", "cipher_server_preference", "single_dh_use", "single_ecdh_use" };
}

-- ------------------------------------------------------------------------------------------------------------------

modules_enabled = {
-- Generally required
  "roster"; -- Allow users to have a roster. Recommended ;) (friend list)
  "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
  "tls"; -- Add support for secure TLS on c2s/s2s connections
  "disco"; -- Service discovery clients can discover services and features available on the server
  "presence"; -- This is an autoloaded module that allows users to send status notifications such as whether they are available to talk or do not wish to be disturbed.

-- Not essential, but recommended
  "pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
  "vcard4"; -- User profiles (stored in PEP)
  "vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard

-- Nice to have
  "csi"; -- XEP-0352: a way for mobile clients to tell the server that they are sitting in someones pocket...
  "csi_simple"; -- Simple Mobile optimizations (require csi)
  "offline"; -- Store offline messages (offline delete message after delivery ;))

-- Others 
  --"smacks"; -- Sessions management, avoid disconnect and handle hibernation...

-- Security
  "watchregistrations"; -- Alert admins of registrations with registration_watchers     { } or admin...
  "log_sasl_mech"; -- Log used sasl mechanism
  "log_auth"; -- Log failed auth. 

-- Other features 
  "lastactivity"; -- Enable mod_lastactivity (permit to querry when a user was last active... atalk implement it but not pixart :()
  "strict_https"; -- Redirect all http to https with 301
}

-- ------------------------------------------------------------------------------------------------------------------

-- Some module are loaded by default if not denied here
modules_disabled = {
}

-- ------------------------------------------------------------------------------------------------------------------

allow_registration = true
authentication = "internal_hashed" -- password hashed instead of plain text

-- ------------------------------------------------------------------------------------------------------------------

-- mod_watchregistrations
registration_watchers = { "admin@127.0.0.1" } -- otherwise the admin list is used
registration_notification = "User $username just registered on $host from $ip"

-- ------------------------------------------------------------------------------------------------------------------

-- mod_saslauth and mod_tls
s2s_require_encryption = true
s2s_secure_auth = true
c2s_require_encryption = true
allow_unencrypted_plain_auth = false

-- ------------------------------------------------------------------------------------------------------------------

log = {
	info = "prosody.log"; -- can be info or debug
	error = "prosody.err";
}

-- ------------------------------------------------------------------------------------------------------------------

certificates = "certs"
VirtualHost "127.0.0.1"

The client certificate ca.crt had been generated as this guide explain

Other config may be used with client ca as authentication system instead of password (this should not impact the implementation)