Not logged in. · Lost password · Register
Forum: MatriX RSS
Unable to validate Tigase certificate because machine name and Tigase domain name do not match
Avatar
bblazek #1
User title: BJB
Member since Apr 2013 · 2 posts
Group memberships: Members
Show profile · Link to this post
Subject: TLS Authentication with Tigase Server
Hi,

This is my first post and I am very new to XMPP and trying to assist another developer.

We have an XMPP server running Tigase that includes two domains.  For illustrative purposes, lets stay Domain1.com and Domain2.com.  In Tigase, we have identified that both domains be validated with TLS.  We have created 3rd party signed certificates for Domain1.com and Domain2.com and put them in the Certs directory for Tigase. 

When the authentication happens in the Matrix client, the Host name we are receiving is the name of the server (something like server1.com), but the certificate provided is for Domain1.com.  Therefore, we are getting Server Name Mismatch error and the connection is closed. 

I am trying to understand how I can instruct the Matrix code to use the XMPP domain name to validate instead of the server host name.  Can anyone help?

Thanks!
Avatar
Alex #2
Member since Feb 2003 · 4322 posts · Location: Germany
Group memberships: Administrators, Members
Show profile · Link to this post
I assume you are using MatriX with the "full" .NET Framework. In this version there is callback for the server certificate which raises when the socket gets updated from Plain to TLS.

In this callback you can validate the certificate according your own policies and appect or deny it.

Here is some example code from the MiniClient. Please let me know if this solves your problem.

  1. private void xmppClient_OnValidateCertificate(object sender, CertificateEventArgs e)
  2. {
  3.  // always accept cert
  4.   e.AcceptCertificate = true; // or false
  5.  
  6.  // or let the user validate the certificate
  7.  //ValidateCertificate(e);
  8. }
  9.  
  10. private void ValidateCertificate(CertificateEventArgs e)
  11. {  
  12.  if (e.SslPolicyErrors == System.Net.Security.SslPolicyErrors.None)
  13.  {
  14.       e.AcceptCertificate = true;
  15.  }
  16.  else
  17.  {
  18.       X509Certificate2UI.DisplayCertificate(new X509Certificate2(e.Certificate));
  19.       if (MessageBox.Show("Accept Certificate", "Certificate", MessageBoxButtons.YesNo) == DialogResult.Yes)
  20.           e.AcceptCertificate = true;
  21.       else
  22.           e.AcceptCertificate = false;
  23.  }
  24. }
Avatar
bblazek #3
User title: BJB
Member since Apr 2013 · 2 posts
Group memberships: Members
Show profile · Link to this post
Thanks Alex, this is a great help.  Do others not encounter this issue when their machine name matches the domain name?  It seems anyone that supports multiple domains from a single server would deal with this.  Just want to make sure I am understanding this correctly.

Thanks again!

BJB
Avatar
Alex #4
Member since Feb 2003 · 4322 posts · Location: Germany
Group memberships: Administrators, Members
Show profile · Link to this post
Quote by bblazek:
Thanks Alex, this is a great help.  Do others not encounter this issue when their machine name matches the domain name?

with the full .NET version not, and I wonder why you have the problem. When you don't subscribe to the with the OnValidateCertificate callback then MatriX returns true to the .NET certification callback and accepts all certs by default. But when you have problems with the full .NET version without being subscribed to the OnValidateCertificate callback then your problem must be somewhere else.

When you host multiple domains then you normally put a hostname which does not equals your XMPP domains in the SRV-records for your domains. Xmpp clients connect to the host advertised in your SRV records and can validate the cert against this hostname.

Example:

You host foo.com and bar.com XMPP domains. Both have xmpp.mycorp.com as hostname in the SRV records. This means both clients connect for XMPP to xmpp.mycorp.com and validate the certificate against this host.

Google does similar stuff with Google apps where they host thousands or millions of xmpp domains. All clients connect to talk.google.com according to the srv records.

Load balancing is also no problem with wilcard certificates. So you could have srv1.xmpp.mycorp.com, srv2.xmpp.mycorp.com, srv3.xmpp.mycorp.com in your srv records and use a cert with wildcard hostname of *.xmpp.mycorp.com

I hope this helps.

Alex
Close Smaller – Larger + Reply to this post:
Verification code: VeriCode Please enter the word from the image into the text field below. (Type the letters only, lower case is okay.)
Smileys: :-) ;-) :-D :-p :blush: :cool: :rolleyes: :huh: :-/ <_< :-( :'( :#: :scared: 8-( :nuts: :-O
Special characters:
Forum: MatriX RSS