AnsweredAssumed Answered

Abnormal behavior of certification subsystem of Openfire and Spark.

Question asked by Evgeniy on Feb 22, 2017
Latest reply on Feb 27, 2017 by wroot

 

Dear colleagues,

 

I have a jabber environment with next properties.

  1. There is MS AD forest with single domain “DN=domain, DN=local”.
  2. There is MS CA.
  3. Xmpp domain name equals to “domain.local”.
  4. There are two openfire servers in cluster with next FQDNs: “server1.domain.local” and “server2.domain.local”.
  5. There is balancing based on SRV records in DNS zone.

 

I look next abnormal situation.

 

SSL certification subsystem of openfire requires (why?) that certificate has DN with “CN=xmpp_domain_name” not “CN=host_FQDN”, but clients (browsers for admin console, Gajim for messaging) require “CN=host_FQDN” (obviously, it is normal).

 

I partially solved this problem using certificates have DN with “CN=host_FQDN, CN=xmpp_domain_name”. In this case Openfire servers, browsers, Gajim work fine with SSL.

 

But Spark says (without ignoring incorrect SSL certificate name option): “Hostname verification of certificate failed”.

 

It is seem that developers of Openfire and Spark consider, that xmpp_domain_name MUST equals to host_FQDN.

 

I have a one question: when developers will solve this abnormal situation?

 

Evgeniy

Outcomes