Getting SSL certificate chain from jabber server
Solution 1
The solution is: Jabber requires starttls:
openssl s_client -connect my.jabber.server.net:5222 </dev/null -starttls xmpp
returns the certificate
Solution 2
As noted in a previous answer, Jabber/XMPP requires -starttls.
Client-to-server (c2s) certificate for my.jabber.server.net.
openssl s_client -connect my.jabber.server.net:5222 </dev/null -starttls xmpp
To expand upon that answer, there are two types of connections:
- Normal client logins:
-starttls xmpp, default port 5222 - Connection between servers:
-starttls xmpp-server, default port 5269
Server-to-server (s2s) certificate for my.jabber.server.net.
openssl s_client -connect my.jabber.server.net:5269 </dev/null -starttls xmpp-server
With openssl v1.1.0+ you can also check custom domains, with the -xmpphost <domain> flag, or use the option alias -name in openssl v1.1.1+.
Client-to-server (c2s) certificate for custom domain other.example.org hosted by my.jabber.server.net:
openssl s_client -connect my.jabber.server.net:5222 </dev/null -starttls xmpp -xmpphost other.example.org
Server-to-server (s2s) certificate for custom domain other.example.org hosted by my.jabber.server.net:
openssl s_client -connect my.jabber.server.net:5269 </dev/null -starttls xmpp-server -xmpphost other.example.org
Related videos on Youtube
06 : 42
04 : 17
33 : 15
09 : 19
06 : 51
02 : 06
06 : 06
ProfHase85
Updated on September 18, 2022Comments
-
ProfHase85 almost 2 years
trying to connect my jabber client (pidgin) to a jabber server with self signed certificate, I am getting an "unable to validate certificate" error.
As it is not possible to tell the client not to validate the chain, I would like to get the certificate chain in order to import it there. Therefore I use:
openssl s_client -connect my.jabber.server.net:5222 </dev/nullI am getting the following answer:
openssl s_client -connect cup1.sprachdienst.fraunhofer.de:5222
> CONNECTED(00000003) 140472458057376:error:140790E5:SSL > routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: > --- no peer certificate available > --- No client certificate CA names sent > --- SSL handshake has read 0 bytes and written 213 bytes > --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE > ---Why don't I get the certificate chain while my jabber client does?
-
noobish about 7 yearsNot if your server is presenting a self-signed cert (although it's not good to blindly accept a cert downloaded in this fashion). If this is happening to you, you'll see:
nss: ERROR -8172: SEC_ERROR_UNTRUSTED_ISSUERin the debug window for one of the received certs. -
Quantim over 5 yearsHi, the question is about how to get already generated and installed certificate from the jabber server, not generating new one.
