Projects tigase _server server-core Issues #1047
Add SASL-EXTERNAL on s2s conections (#1047)
wojciech.kapcia@tigase.net opened 5 years ago

XEP-0178: Best Practices for Use of SASL EXTERNAL with Certificates: Server-to-Server Recommendation

  • "If the 'from' attribute of stream header sent by Server1 can be matched against one of the identifiers provided in the certificate following the matching rules from RFC 6125, Server2 returns success."
  • CA chain verification based on CAs from JVM
wojciech.kapcia@tigase.net commented 5 years ago

With sasl-external enabled almost all remote, non-Tigase servers fail to establish s2s with:

[2019-09-05 19:19:53:291] [FINEST  ] [      pool-32-thread-8 ] XMPPIOService.processSocketData(): CID: tigase.im@wielicki.name, null, type: connect, Socket: TLS: nullSocket[addr=/95.217.50.18,port=5269,localport=10976], jid: null, READ:<?xml version='1.0'?><stream:stream version='1.0' xmlns:stream='http://etherx.jabber.org/streams' from='wielicki.name' xml:lang='en' to='tigase.im' xmlns:db='jabber:server:dialback' xmlns='jabber:server'><stream:error><invalid-namespace xmlns='urn:ietf:params:xml:ns:xmpp-streams'/></stream:error></stream:stream>
Bartosz Małkowski commented 5 years ago

@wojtek Do you have more logs? What exactly packed caused this response?

Bartosz Małkowski commented 5 years ago

I hope problem are fixed.

issue 1 of 1
Type
New Feature
Priority
Normal
Assignee
Version
tigase-server-8.1.0
Estimation
20h
Spent time
26h 48m
Issue Votes (0)
Watchers (0)
Reference
tigase/_server/server-core#1047
Please wait...
Page is in error, reload to recover