hello everyone !
I know this argument maybe have been discussed other times, but
this post is more for understanding the undergoing processes and
then findind a solution.
Hope is not boring discuss again of this
I would achieve running prosody on lan exclusively and have also
http_upload module for sending and receiving files. The sender is
profanity and it is on the same machine where prosody is running.
They share then the same CA self made autorithy
My setup is with prosody/oldstable,now 0.11.2-1+deb10u4 armhf
[installed]
Was not easy to understand how achieve self signed CA autority,
but after studying a lot and thanks to usefull infos achieved on
the prosody chat (I also found a good tutorial ) I understood
that a comprensive CA FIRST have to be system wide on the server
itself ( /etc/ssl/certs ) and also must have SAN subdomain in it.
I have a certificate.cnf that looks like this:
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
[ req ]
default_bits = 2048
prompt = no
distinguished_name=req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
countryName=IT
stateOrProvinceName=LAZIO
localityName=ROME
organizationName=CTT
organizationalUnitName=CTT CERTIFICATE
commonName=certifier.org
emailAddress=root_...@certifier.org
[ alternate_names ]
DNS.1 = 192.168.1.8
DNS.2 = localhost
DNS.3 = 127.0.0.1
DNS.4 = proxy.localhost
DNS.5 = upload.localhost
DNS.6 = conference.localhost
DNS.7 = proxy.192.168.1.8
DNS.8 = upload.192.168.1.8
DNS.9 = conference.192.168.1.8
DNS.10 = pubsub.192.168.1.8
[ v3_req ]
keyUsage=digitalSignature
basicConstraints=CA:true
subjectKeyIdentifier = hash
subjectAltName = @alternate_names
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
So i am obtaining a certifier.key and certifier.crt that covers
all the subdomain speficied in the alternates names
With same procedure I obtain a certificate request and a final
certificate and key that covers all the names.
Infact when i run a command to chech the whole SAN chain it tells
me that dns are covered:
openssl s_client -connect
192.168.1.8:5281 </dev/null 2>/dev/null | openssl x509
-noout -text | grep DNS:
DNS:192.168.1.8, DNS:localhost, DNS:127.0.0.1,
DNS:proxy.localhost, DNS:upload.localhost,
DNS:conference.localhost, DNS:proxy.192.168.1.8,
DNS:upload.192.168.1.8, DNS:conference.192.168.1.8,
DNS:pubsub.192.168.1.8
It seems i have my SAN ok and also my final certificate chain is
OK against the certifier.crt that i put in /etc/ssl with the
update-ca-certificate procedure
openssl verify -CAfile /etc/ssl/certs/certifier.pem
/home/certificates/192.168.1.8.crt
/home/certificates/192.168.1.8.crt: OK
the same happen even if I rename final certificate in
localhost.crt
openssl verify -CAfile
/etc/ssl/certs/certifier.pem /home/certificates/localhost.crt
/home/certificates/localhost.crt: OK
This is normal because I used SAN with several dns names , so
apparently it seems every ssl piece is in place.
On my machine my host name is localhost; my virtual host in
/etc/prosody/conf.avail/localhost.cfg.lua is localhost too !
in /etc/hosts again all 192.168.1.8 is pointing to relative names
:
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.1.8 localhost
192.168.1.8 192.168.1.8
192.168.1.8 pubsub.192.168.1.8
192.168.1.8 conference.192.168.1.8
192.168.1.8 upload.192.168.1.8
Prosody check certs gives me all
certificates passed OK compliments ( for being sure I
added the same final localhost.key and localhost.crt also renamend
in conference.localhost.crt proxy.localhost.crt.
pubsub.localhost.crt
Now comes some questions:
Since I don't/cannot implement any DNS in the lan, I used the "
trick" to push the upload site as an IP instead of a name. my
configuration looks like:
---------------------------------------------------------------------------------------------------------------------------------------------------------
VirtualHost "localhost"
ssl = {
key = "/etc/prosody/certs/localhost.key";
certificate = "/etc/prosody/certs/localhost.crt";
capath= "/etc/prosody/certs/certifier.crt";
}
disco_items = {
{ "192.168.1.8" },
}
Component "conference.192.168.1.8" "muc"
restrict_room_creation = false
Component "192.168.1.8" "http_upload"
http_upload_file_size_limit = 10 * 1024 * 1024
http_upload_expire_after = 60 * 60 * 24 * 7
http_upload_allowed_file_types = { "image/*", "text/plain"
}
---------------------------------------------------------------------------------------------------------------------------------------------------------------
I must use this trick because prosody wants "virtualhost and it's
components" have different names ; and the prosody's log clearly
states that :
192.168.199.8:http_upload info URL:
<https://192.168.1.8:5281/upload> - Ensure this can be
reached by users
With this " trick" I don't need a DNS in the
lan and https://192.168.1.8:5281/upload is reachable, e.g. by
chrome or firefox from another pc in lan.
Of course I have to accept the warning about the certificate since
i DON'T want to put the certificate in all machines of the LAN but
this is ok
I register to server
with extended configurations so i put the ip 192.168.1.8 the
port 5222 but the jid willbe goofey@localhost e.g.
The clients android conversation registers perfectly,
conference is working, even audio and video are working since
they are P2P and clients are under the same LAN, no turn, no
coturn needed.
BUT....when i try to send a file with profanity
/sendfile /home/somefile.jpg
it complains that ssl or remote ssh key are
not correct, but the check form SAN clearly says that SAN
and chain are ok !!!
Why profanity tells certificate is not OK?
If i change
------------------------------------------------------------------------------------------------------------------------------------------------------------------------
disco_items = {
{ "192.168.1.8" },
}
Component "192.168.1.8" "http_upload"
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
to
disco_items = {
{ "upload.192.168.1.8" },
}
Component "upload.192.168.1.8" "http_upload"
than all works ok, profanity can send files
since it has the right certificate, can match with ca autorithy
and discoveres upload.192.168.1.8
in hosts itself but then on
client i need a DNS for resolving upload.192.168.1.8 in the
LAN and I cannot set a dns in the LAN !!!!!!
I did a test with ejabberd server ( but i don't like it, I'd prefer prosody) and set tls = false
in mod http upload and with simple http instead of https all files
fromt-to another pc are working ok
Is possible run prosody unchecking the ssl
verify on https and use http ?
or ...
where am I wrong in certificate check ?????
Resume:
1) it is possible run prosody http_upload on 5280 WITHOUT TLS ,
normal http ?
2) why even if my SAN covers all the combination possible,
profanity that resides on the same machine itself and has the
wide system CA autority complains my certificate or ssh key is
not ok ?
I repeat my CA authority is system wide in /etc/ssl/certs
I must be wrong somehow but cannot get the solution
Thank you so much for enlighting me both on how certificates work
and how to circumvent the absence of a DNS resolver in lan