My server is set with domain name betsonchat. on the clients they have betsonchat.betson.com. they can log in this way on the network. When they are off the network, they can still log in using the same server name betsonchat.betson.com. I’m not using AD, simply the openfire internal built in ldap.
with this new version of spark , it does not connect unless i change the name to just betsonchat and click on “use spark version as resource”, “use compression”, and “accept all certificates”.
now when outside the network , you cant use either one. I understand the need for security, but spark should allow you to choose if you want to be this secured or not. I think this option should be added to the next release. I don’t intend on re configuring my server, since its worked great for 5 years now. and i don’t want to change the config on 200 machines.
Can we add this feature on the next release to allow the admin or users set how secured they want to be? At this point i will just continue to use spark 2.7.7.
Please note I’m also using the latest openfire server 4.0.3 on a windows server.
I believe that your issue is not the same as the post you have posted in (you are not using AD integration, Openfire’s internal database is not LDAP based). So i have branched out your question into a separate thread.
You can still use 2.7.7 for as long as you want (though Openfire 4.1.0 may introduce additional changes which can brake 2.7.7 login). It won’t be removed and it can still be downloaded by replacing version numbers in the download link. Using 2.7.7 is the same as using 2.8.0 with disabled security (in terms of security). 2.8.0 doesn’t have any ground braking new features, so your users probably will be fine with 2.7.7.
As for 2.8.0, there won’t be a default configuration with disabled security. This is not right. It is enough that Spark was completely insecure for many years already. Those who don’t want to be secure or change their configurations can use older version. New users shouldn’t suffer because of that. So new users will get best security settings as possible. There is currently no option in Spark to add an exception for a mismatched certificate. There is a ticket for this, but we don’t have regular active developers here, so not sure when it can be implemented. https://issues.igniterealtime.org/browse/SPARK-1203 There is no option to change login settings for Spark from a server either.
Version 2.8.1 will have an option “Disable certificate hostname verification” on the Advanced settings. Enabling this will make it same as 2.7.7. But it won’t be enabled by default.
i dont mind sending an email to the users to check “Disable certificate hostname verification” . thats better than having them click on a bunch of other options.
On the flip side. what would be the esiest way to fix my problem without touching the user end and not breaking anything?
You can try the SRV DNS records. E.g. i put igniterealtime.org as a server when logging into our internal Openfire server here. But the server is actually xmpp.igniterealtime.org. There are SRV records pointing clients trying to login to igniterealtime.org:5222 to xmpp.igniterealtime.org:5222. So i can use igniterealtime.org as a server in Spark without a problem and certificate check doesn’t fail in 2.8.0. Check DNS SRV records for XMPP But this might now work for you as yoir server’s name is like a subdomain of your main domain.