Installing the StartCom SSL certificate in ejabberd

The XMPP Software Foundation established an intermediate certification authority with StartCom. If you run a public federated XMPP server, in order to provide secure communication, you no longer need to buy an SSL certificate (or resort to a self-signed certificate): simply register an account at http://www.xmpp.net and follow the certificate request process.

At least up to ejabberd 1.1.2 1.1.4, however, there is an extra step which involves patching a file and recompiling. (Update: the patching step is no longer required in ejabberd 2.0.0.)

Here is the complete procedure I followed.

After the certificate request process, you should have these files:

Decode ssl.key. openssl will ask you for a password, provide the one you gave during the certificate request process:


$ openssl rsa -in ssl.key -out ssl.key

Concatenate your server’s certificate plus key and the intermediate certificate into a single file:


cat ssl.crt ssl.key sub.class1.xmpp.ca.crt >ejabberd.pem


Place the resulting file where the ejabberd server is able to access it.

On Debian:


chown ejabberd.ejabberd ejabberd.pem
chmod 400 ejabberd.pem
mv ejabberd.pem /etc/ejabberd

Configure ejabberd.cfg:


% Ordinary client-2-server service
 [{5222, ejabberd_c2s,     [{access, c2s},
                            {max_stanza_size, 65536},
                            starttls, {certfile, "/etc/ejabberd/ejabberd.pem"},
                            {shaper, c2s_shaper}]},

% SSL-enabled client-2-server service
  {5223, ejabberd_c2s,     [{access, c2s},
                            {max_stanza_size, 65536},
                            tls, {certfile, "/etc/ejabberd/ejabberd.pem"},
                            {shaper, c2s_shaper}]},

% [...]

% Use STARTTLS+Dialback for S2S connections
{s2s_use_starttls, true}.
{s2s_certfile, "/etc/ejabberd/ejabberd.pem"}.

Restart the server.

At this point, the certificate is installed but ejabberd is not presenting it correctly. If you run the following:


openssl s_client -connect your.server.org:5223 -CAfile /path/to/ca.crt

You will get an incomplete certificate chain:


[...]
verify error:num=21:unable to verify the first certificate
verify return:1
CONNECTED(00000003)
---
Certificate chain
 0 s:/C=US/ST=Your State/L=Your Location/O=Your Name/OU=Domain validated only/CN=your@server.org/emailAddress=hostmaster@server.org
   i:/C=US/ST=Colorado/O=Jabber Software Foundation/OU=Secure Certificate Signing/CN=StartCom Class 1 Intermediate CA - Jabber Software Foundation/emailAddress=certmaster@jabber.org
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]

To fix it, you have to apply a small patch. Start by downloading ejabberd source.

On Debian:


apt-get source ejabberd

Now you could grab the patch from the ejabberd bug tracker and use the “patch” tool to apply it, however as of ejabberd 1.1.2 line numbers have shifted and it won’t apply cleanly. Since it’s a one-liner, just open the file src/tls/tls_drv.c and locate the following line:


res = SSL_CTX_use_certificate_file(d->ctx, buf, SSL_FILETYPE_PEM);

Replace it with the following:


res = SSL_CTX_use_certificate_chain_file(d->ctx, buf);

To compile it, either go to the src/ directory and type:


make

Or, on Debian, generate a new package:


fakeroot dpkg-buildpackage -uc -nc

Reinstall, and you’re done.

To verify that it’s working, run again:


$ openssl s_client -connect sameplace.cc:5223 -CAfile /path/to/ca.crt

This time you should get:


[...]
verify return:1
CONNECTED(00000003)
---
Certificate chain
 0 s:/C=US/ST=Your State/L=Your Location/O=Your Name/OU=Domain validated only/CN=your@server.org/emailAddress=hostmaster@server.org
   i:/C=US/ST=Colorado/O=Jabber Software Foundation/OU=Secure Certificate Signing/CN=StartCom Class 1 Intermediate CA - Jabber Software Foundation/emailAddress=certmaster@jabber.org
 1 s:/C=US/ST=Colorado/O=Jabber Software Foundation/OU=Secure Certificate Signing/CN=StartCom Class 1 Intermediate CA - Jabber Software Foundation/emailAddress=certmaster@jabber.org
   i:/C=IL/ST=Israel/L=Eilat/O=StartCom Ltd./OU=CA Authority Dep./CN=Free SSL Certification Authority/emailAddress=admin@startcom.org
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]

Which is a complete certificate chain and openssl is able to verify it against the root certificate.

Share
Comments are closed.