check the XMPP server certificate

95 views
Skip to first unread message

Ellouze Anis

unread,
Oct 7, 2020, 9:23:19 AM10/7/20
to libstrophe

Hi all,
I have a question about XMPP server certificate verification.
How can I set CA file to verify XMPP certificate and any example code about this? 

Thanks in advanced!

Dmitry Podgorny

unread,
Oct 7, 2020, 10:04:04 AM10/7/20
to libstrophe
Hi, this feature hasn't been implemented yet. There is a ticket: https://github.com/strophe/libstrophe/issues/164 . I will take a look into this feature and maybe it will be a part of the next major release.

For now, you can use flag XMPP_CONN_FLAG_TRUST_TLS. It allows you to trust invalid certificate, so you can connect to your server without an error. However, it can lead to security issues.

Dmitry Podgorny

unread,
Oct 7, 2020, 1:28:03 PM10/7/20
to libst...@googlegroups.com
I've made a quick implementation of this feature. You can take a look at this branch: https://github.com/strophe/libstrophe/tree/cafile . 

ср, 7 окт. 2020 г. в 17:04, Dmitry Podgorny <pasi...@gmail.com>:
--
You received this message because you are subscribed to a topic in the Google Groups "libstrophe" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/libstrophe/l40az0E-YIU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to libstrophe+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/libstrophe/ef1a69d8-2459-4408-9ab7-b145a92240a2n%40googlegroups.com.

Chiheb Boussetta

unread,
Oct 7, 2020, 2:25:34 PM10/7/20
to libst...@googlegroups.com
Hello,

I think that there is a fork of the libstrophe called libmesode that allows you to make the certicate verification.

Best regards, 

--
You received this message because you are subscribed to the Google Groups "libstrophe" group.
To unsubscribe from this group and stop receiving emails from it, send an email to libstrophe+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/libstrophe/12a1947e-700e-4457-a37a-a1b3a4cd94b9n%40googlegroups.com.

Dmitry Podgorny

unread,
Oct 7, 2020, 3:48:18 PM10/7/20
to libstrophe
libmesode adds a callback in which you can verify footprint manually. But it doesn't allow to provide own CA file. Moreover, I wouldn't recommend to use libmesode, because it will be deprecated soon.

sevent...@googlemail.com

unread,
Oct 15, 2020, 10:10:29 AM10/15/20
to libstrophe
Hi there,
release notes 0.9.2 tells: OpenSSL tls module verifies certificate by default. Set flag XMPP_CONN_FLAG_TRUST_TLS to ignore result of the verification.

Can you tell me if the default verification works with self-signed RootCAs as well?

Thanks in advance.

Dmitry Podgorny

unread,
Oct 16, 2020, 4:30:15 PM10/16/20
to libstrophe
Hi,

Your own self-signed certificates are not trusted by openssl. But if you're talking about root certificates that are installed in your system, they're trusted.

seventh_son

unread,
Oct 16, 2020, 4:35:47 PM10/16/20
to libst...@googlegroups.com
I'm referring to a RootCA that is not issued by a common vendor but by my own PKI. This RootCA signs a my server certificate.

The RootCA was installed in my trust store (ca-certificates.conf) and other clients like Curl accepts it, but libstrophe throws disconnect error 103 and tells about a certificate verification issue. 

Dmitry Podgorny

unread,
Oct 16, 2020, 4:45:11 PM10/16/20
to libstrophe
Have you tried libstrophe 0.10.0? it prints openssl error in debug logs when verification fails.

Anis Ellouze

unread,
Oct 18, 2020, 4:32:48 PM10/18/20
to libst...@googlegroups.com
Hi all,
I generate a certificate from the zeroSSL website to avoid self signed certificate openssl check but I got another error :

xmpp proceeding with TLS
2018-05-04 21:23:16 [tr069_xmpp] DEBUG - tls Certificate verification FAILED, result=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY(20)
2018-05-04 21:23:16 [tr069_xmpp] DEBUG - tls Certificate was not presented by peer
2018-05-04 21:23:16 [tr069_xmpp] DEBUG - tls error=SSL_ERROR_SSL(1) errno=0
2018-05-04 21:23:16 [tr069_xmpp] DEBUG - tls error:14090086:lib(20):func(144):reason(134)
2018-05-04 21:23:16 [tr069_xmpp] DEBUG - tls Certificate verification passed
2018-05-04 21:23:16 [tr069_xmpp] DEBUG - conn Couldn't start TLS! error -3 tls_error 1
2018-05-04 21:23:16 [tr069_xmpp] DEBUG - conn SENT: </stream:stream>
2018-05-04 21:23:16 [tr069_xmpp] DEBUG - xmpp Send error occurred, disconnecting.
2018-05-04 21:23:16 [tr069_xmpp] DEBUG - xmpp Closing socket.
2018-05-04 21:25:16 [tr069_xmpp] DEBUG - event Stopping event loop.
 
how to test the certification check with libstrophe 0.10.0  on my  xmpp client

Anis Ellouze

unread,
Oct 18, 2020, 6:16:26 PM10/18/20
to libst...@googlegroups.com
Hi all,
I generate a certificate from the zeroSSL website to avoid self signed certificate openssl check but I got another error :

xmpp proceeding with TLS
2018-05-04 21:23:16 [xmpp] DEBUG - tls Certificate verification FAILED, result=X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY(20)
2018-05-04 21:23:16 [xmpp] DEBUG - tls Certificate was not presented by peer
2018-05-04 21:23:16 [xmpp] DEBUG - tls error=SSL_ERROR_SSL(1) errno=0
2018-05-04 21:23:16 [xmpp] DEBUG - tls error:14090086:lib(20):func(144):reason(134)
2018-05-04 21:23:16 [xmpp] DEBUG - conn Couldn't start TLS! error -3 tls_error 1
2018-05-04 21:23:16 [xmpp] DEBUG - conn SENT: </stream:stream>
2018-05-04 21:23:16 [xmpp] DEBUG - xmpp Send error occurred, disconnecting.
2018-05-04 21:23:16 [xmpp] DEBUG - xmpp Closing socket.
2018-05-04 21:25:16 [xmpp] DEBUG - event Stopping event loop.
 
how to test the xmpp client certification check with libstrophe 0.10.0
thx

Reply all
Reply to author
Forward
0 new messages