Using openfire 3.10.2. I’ve been able to successfully import my RapidSSL signed cert with the CA root using the openfire server certificate admin screen. I ran into a couple of issues.
-
The cert won’t import unless you type something into the private key passphrase field. It doesn’t matter what, mind you, just as long as something is there.
-
I couldn’t import unless I imported the CA root cert into the truststore db directly from the commandline first. Then I could import everything from the gui.
But that all said, I can now connect to the openfire admin gui securely except one problem: I keep getting this:
Your connection to mysite.com is encrypted with obsolete cryptography.
The connection uses TLS 1.2.
The connection is encrypted using AES_256_CBC, with SHA1 for message authentication and ECDHE_RSA as the key exchange mechanism.
Connecting with pidgin (windows) throws an error too telling me the cert could not be validated and when I check the cert I am told the fingerprint is SHA1.
I use the came cert/key/CA root in nginx and I am told:
Your connection to mysite.com is encrypted with modern cryptography.
The connection uses TLS 1.2.
The connection is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism.
I checked the CA root cert in the trust store and I see the following fingerprints. Could the SHA1 fingerprint be causing a problem? I’m sort of lost. I’ve done everything I can think of. Does openfire just not work with RapidSSL’s certs?
Certificate fingerprints:
MD5: 71:07:82:7D:C1:8A:DC:DC:BF:16:A2:57:2C:69:47:C7
SHA1: DC:07:7C:4A:B3:42:2F:60:8C:EE:83:D9:09:8B:FC:3A:72:26:D6:A7
SHA256: 5B:87:E2:22:F2:03:46:FA:36:28:81:6E:D6:CE:71:FA:AB:A0:85:7F:B8:BC:BA:73:77:6E:A 1:FA:56:CD:00
:57
Signature algorithm name: SHA256withRSA
Version: 3