I know this questions has been asked quite a bit on thses forums, however, I’m still having a problem enabling my OpenFire server to use PKI Authentication.
I’m fairly sure I have all of my server settings correct (pointing to the correct place for keystore, truststore, etc), but I don’t think the server is properly sending my client back a list of CAs for which to ask my client for its certificates.
Here is a listing of pertinent props:
- sasl.mechs = EXTERNAL
- xmpp.client.cert.policy = WANTED
- xmpp.client.certificate.verify = true
- xmpp.client.certificate.verify.chain = true
- xmpp.client.certificate.verify.root = true
- xmpp.client.certificate.verify.validity = true
- xmpp.client.tls.policy = required
- xmpp.socket.ssl.active = true
- xmpp.socket.ssl.client.truststore = resources/security/truststore
- xmpp.socket.ssl.client.trustpass = {my password}
- xmpp.socket.ssl.keystore = resources/security/keystore
- xmpp.socket.ssl.keypass = {my password}
I have a keystore and a truststore located in {openfire root}/resources/security/
I have my server’s private keys in the keystore and a listing of available CAs in my truststore.
I’m getting the error: “EXTERNAL auth requested, but no certificates found”
I’ve tested this with openssl s_connect… and see that the server is not sending back my list of CAs. I’m using the same keystore/truststore on another web application (run in JBoss) and my openssl s_connect… properly gets my list of CAs.