ssl certificates ( again)

54 views

Skip to first unread message

fabio...@gmail.com

unread,

Apr 26, 2022, 7:02:20 AM4/26/22

to prosod...@googlegroups.com

hello everyone !

I know this argument maybe have been discussed other times, but this post is more for understanding the undergoing processes and then findind a solution.
Hope is not boring discuss again of this

I would achieve running prosody on lan exclusively and have also http_upload module for sending and receiving files. The sender is profanity and it is on the same machine where prosody is running. They share then the same CA self made autorithy

My setup is with prosody/oldstable,now 0.11.2-1+deb10u4 armhf [installed]

Was not easy to understand how achieve self signed CA autority, but after studying a lot and thanks to usefull infos achieved on the prosody chat (I also found a good tutorial ) I understood that a comprensive CA FIRST have to be system wide on the server itself ( /etc/ssl/certs ) and also must have SAN subdomain in it.
I have a certificate.cnf that looks like this:
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
[ req ]
default_bits = 2048
prompt = no
distinguished_name=req_distinguished_name
req_extensions = v3_req

[ req_distinguished_name ]
countryName=IT
stateOrProvinceName=LAZIO
localityName=ROME
organizationName=CTT
organizationalUnitName=CTT CERTIFICATE
commonName=certifier.org
emailAddress=root_...@certifier.org

[ alternate_names ]
DNS.1        = 192.168.1.8
DNS.2        = localhost
DNS.3        = 127.0.0.1
DNS.4        = proxy.localhost
DNS.5        = upload.localhost
DNS.6        = conference.localhost
DNS.7        = proxy.192.168.1.8
DNS.8        = upload.192.168.1.8
DNS.9        = conference.192.168.1.8
DNS.10       = pubsub.192.168.1.8

[ v3_req ]
keyUsage=digitalSignature
basicConstraints=CA:true
subjectKeyIdentifier = hash
subjectAltName = @alternate_names
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

So i am obtaining a certifier.key and certifier.crt that covers all the subdomain speficied in the alternates names

With same procedure I obtain a certificate request and a final certificate and key that covers all the names.

Infact when i run a command to chech the whole SAN chain it tells me that dns are covered:

openssl s_client -connect 192.168.1.8:5281 </dev/null 2>/dev/null | openssl x509 -noout -text | grep DNS:

DNS:192.168.1.8, DNS:localhost, DNS:127.0.0.1, DNS:proxy.localhost, DNS:upload.localhost, DNS:conference.localhost, DNS:proxy.192.168.1.8, DNS:upload.192.168.1.8, DNS:conference.192.168.1.8, DNS:pubsub.192.168.1.8

It seems i have my SAN ok and also my final certificate chain is OK against the certifier.crt that i put in /etc/ssl with the update-ca-certificate procedure

openssl verify -CAfile /etc/ssl/certs/certifier.pem /home/certificates/192.168.1.8.crt
/home/certificates/192.168.1.8.crt: OK

the same happen even if I rename final certificate in localhost.crt

openssl verify -CAfile /etc/ssl/certs/certifier.pem /home/certificates/localhost.crt
/home/certificates/localhost.crt: OK

This is normal because I used SAN with several dns names , so apparently it seems every ssl piece is in place.

On my machine my host name is localhost; my virtual host in /etc/prosody/conf.avail/localhost.cfg.lua is localhost too !
in /etc/hosts again all 192.168.1.8 is pointing to relative names :

127.0.0.1    localhost
::1        localhost ip6-localhost ip6-loopback
fe00::0        ip6-localnet
ff00::0        ip6-mcastprefix
ff02::1        ip6-allnodes
ff02::2        ip6-allrouters
192.168.1.8   localhost
192.168.1.8 192.168.1.8
192.168.1.8 pubsub.192.168.1.8
192.168.1.8   conference.192.168.1.8
192.168.1.8   upload.192.168.1.8

Prosody check certs gives me all certificates passed OK compliments ( for being sure I added the same final localhost.key and localhost.crt also renamend in conference.localhost.crt proxy.localhost.crt. pubsub.localhost.crt

Now comes some questions:

Since I don't/cannot implement any DNS in the lan, I used the " trick" to push the upload site as an IP instead of a name. my configuration looks like:

---------------------------------------------------------------------------------------------------------------------------------------------------------
VirtualHost "localhost"
ssl = {
        key = "/etc/prosody/certs/localhost.key";
        certificate = "/etc/prosody/certs/localhost.crt";
        capath= "/etc/prosody/certs/certifier.crt";
    }

disco_items = {
    { "192.168.1.8" },
}

Component "conference.192.168.1.8" "muc"
    restrict_room_creation = false

Component "192.168.1.8" "http_upload"
http_upload_file_size_limit = 10 * 1024 * 1024
http_upload_expire_after = 60 * 60 * 24 * 7
http_upload_allowed_file_types = { "image/*", "text/plain" }
---------------------------------------------------------------------------------------------------------------------------------------------------------------

I must use this trick because prosody wants "virtualhost and it's components" have different names ; and the prosody's log clearly states that :

192.168.199.8:http_upload    info    URL: <https://192.168.1.8:5281/upload> - Ensure this can be reached by users

With this " trick" I don't need a DNS in the lan and https://192.168.1.8:5281/upload is reachable, e.g. by chrome or firefox from another pc in lan.
Of course I have to accept the warning about the certificate since i DON'T want to put the certificate in all machines of the LAN but this is ok

I register to server with extended configurations so i put the ip 192.168.1.8 the port 5222 but the jid willbe goofey@localhost e.g.

The clients android conversation registers perfectly, conference is working, even audio and video are working since they are P2P and clients are under the same LAN, no turn, no coturn needed.

BUT....when i try to send a file with profanity

/sendfile /home/somefile.jpg

it complains that ssl or remote ssh key are not correct, but the check form SAN clearly says that SAN and chain are ok !!!

Why profanity tells certificate is not OK?

If i change
------------------------------------------------------------------------------------------------------------------------------------------------------------------------
disco_items = {
    { "192.168.1.8" },
}

Component "192.168.1.8" "http_upload"

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
to

disco_items = {
    { "upload.192.168.1.8" },
}

Component "upload.192.168.1.8" "http_upload"

than all works ok, profanity can send files since it has the right certificate, can match with ca autorithy and discoveres upload.192.168.1.8 in hosts itself but then on client i need a DNS for resolving upload.192.168.1.8   in the LAN and I cannot set a dns in the LAN !!!!!!

I did a test with ejabberd server ( but i don't like it, I'd prefer prosody) and set tls = false in mod http upload and with simple http instead of https all files fromt-to another pc are working ok

Is possible run prosody unchecking the ssl verify on https and use http ?

or ...

where am I wrong in certificate check ?????

Resume:
1) it is possible run prosody http_upload on 5280 WITHOUT TLS , normal http ?

2) why even if my SAN covers all the combination possible, profanity that resides on the same machine itself and has the wide system CA autority complains my certificate or ssh key is not ok ?
I repeat my CA authority is system wide in /etc/ssl/certs
I must be wrong somehow but cannot get the solution

Thank you so much for enlighting me both on how certificates work and how to circumvent the absence of a DNS resolver in lan