Openfire SSL configuration with PKCS12 unecessarily painful

Just got finished adding SSL to a openfire server using a pkcs12 keystore (I avoid the java keystore format if at all possible due to how annoying it is to export keys and use from anything other than java).

This was unecessarily painful due to a couple aspects of the openfire code:

  1. S2S keystore was assumed to be the same type as the ssl keystore - this isn’t necessarily reasonable as they serve very different purposes, one will likely not have any KEYS in it. I would very much like to see a “xmpp.socket.ssl.trustStoreType” property added to allow this to be specified independently. You allow the password to be different, type should be distinct as well.

  2. Despite what docs say (xmpp.socket.ssl.truststore – leave blank to not use a truststore, otherwise the location of the truststore file relative to your Openfire installation root directory.) - you HAVE to have a valid trustStore or else the startup/ssl code seems to barf. Or at least it did when trying to set up using PKCS12 trust store type. (Looked like setting it to blank just made the code try to read a trustStore that was the server directory.)

  3. Forcing the keystore to be a subdir of the openfire installation - this would be much nicer if it behaved like apache/other apps - if the path has a leading slash, make it absolute path, if no leading slash, relative to server dir.

Seems like at least making change 1 above would be trivial and non-impacting (just fall back to using storeType if this prop isn’t present).

Thanks!

Hello,

Thanks for the feedback. Unfortunately, openfire developer resources are slim these days. If you can, please generate a patch and I’ll see that it gets triaged.

daryl