Ticket #225 (closed defect: fixed)

Opened 3 months ago

Last modified 2 months ago

SSL not working since moving from 2.1.18 to 2.2.0

Reported by: ahhyes Owned by: smoku
Priority: trivial Component: c2s
Version: 2.2.0 Keywords:
Cc: Tracforge_linkmap:
Blocking: Blocked By:

Description

Hi All,

I cant get SSL to work anymore. When I look at the log for c2s, I see the following:

Tue Jun 10 04:27:36 2008 [notice] [8] [10.0.0.1, port=1336] connect Tue Jun 10 04:27:37 2008 [notice] [8] [10.0.0.1, port=1336] error: SSL handshake error (error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate) Tue Jun 10 04:29:03 2008 [notice] [9] [172.16.0.200, port=51258] connect Tue Jun 10 04:29:03 2008 [notice] [9] [172.16.0.200, port=51258] error: SSL handshake error (error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate)

I never had this issue with the other version I was using.. What is the problem? (I have built jabberd2 under freebsd 7/i386) with the following configure arguements:

./configure --disable-pgsql --disable-sqlite --enable-mysql --disable-db --disable-ldap --disable-fs --disable-pam --prefix=/usr/local --with-extra-include-path=/usr/local/include --with-extra-library-path=/usr/local/lib --with-sasl=gsasl --enable-ssl

I dont think this is a bug, its probably more of a misconfiguration issue, but I have searched high and low for the solution and came up empty handed. help!

Change History

Changed 3 months ago by Teresa

Same here, i cant connect my server with latest pidgin version anymore :o(

Changed 3 months ago by Teresa

Solved: c2s.xml -> id attribute verify-mode='2'

Changed 3 months ago by ahhyes

I have mine set as verify-mode='7' which is how I had it set in 2.1.18 (the default with the install)... Why would it need to be changed suddenly between versions? What is the difference between mode 2 and mode 7? What has changed?

Can anyone explain this?

Changed 3 months ago by ahhyes

  • priority changed from major to blocker

Changed 3 months ago by ahhyes

Another thing to note is if I enable the use of legacy SSL on port 5223, it works. But the starttls on 5222 will not work for the reason given in my original post.

Changed 3 months ago by smoku

  • status changed from new to closed
  • resolution set to invalid

Well... verify-mode was actually fixed in 2.2. It did not work before. ;-) And the difference is described in OpenSSL manual.

Changed 3 months ago by ahhyes

  • priority changed from blocker to trivial
  • status changed from closed to new
  • resolution deleted

Thank you for the answer. Has the change been *documented* somewhere? this certainly caught me by surprise. I looked through all the changelogs between versions for clues and found nothing.

If this change isnt documented, could you please document it somewhere to save someone from the same headaches it caused me.

Thanks!

Changed 2 months ago by smoku

  • status changed from new to closed
  • resolution set to fixed

Right. It wasn't documented anywhere beside ticket comment. I added the comment to UPGRADE file in [616].

Note: See TracTickets for help on using tickets.