[Cabal] SSL/TLS Certificates

Richard Laager rlaager at wiktel.com
Sun Dec 17 18:07:14 EST 2006 

I had previously setup the SSL certificate for HTTPS for
developer.pidgin.im, but I don't think I e-mailed this list about it. I
now have the pidgin.im cert setup for HTTPS as well as for TLS/SSL IMAP
in Dovecot and Postfix's SMTP TLS (or SMTP "STARTTLS" as it's often
called in the sendmail world at least). As they say, it Works For Me!

Note that Postfix required me to concatenate the Starfield intermediate
CA certificate with the pidgin.im and put them in one file [1].

I'm not sure what to do about ejabberd. It currently refers
to /etc/ejabberd/ejabberd.pem, which is a self-signed certificate, with
a particularly broken Subject [2]. I tried replacing those file
references with references to /etc/ssl/certs/pidgin.im.COMBINED.pem.
This didn't work. I was unable to connect to the Jabber server after
that. I preserved this file as /etc/ejabberd/ejabberd.cfg.failed

I imagine this doesn't work because of the intermediate CA. There's a
bug report filed [3]. I checked the source and it's still not fixed.
This seems to leave us with the choices of:
	a) Maybe switch Jabber servers.
	b) Re-apply the patch in the bug report and debug & fix the
	   problem which prompted it being reverted.
	c) Reference /etc/ssl/certs/pidgin.im instead, omitting the
	   intermediate CA.  Anyone using a client which checks the
	   trust path to a root CA would need to add the Starfield cert
	   as a trusted root CA.

Thoughts? Etan, I've re-assigned the SSL certificates ticket to you,
since we need a decision on how to proceed with the ejabberd situation.

As a side note, while I was working on this, I noticed that ejabberd.cfg
and ejabberd.pem were owned by ejabberd. This seems wrong, as it would
allow ejabberd to overwrite its config. I changed the ownership to root
and added group read permission for ejabberd. It seems to still work.

Richard

[1]
	root at homing:~# cd /etc/ssl/certs
	root at homing:/etc/ssl/certs# cat pidgin.im.pem Starfield_Secure_Certification_Authority.pem > pidgin.im.COMBINED.pem

[2] See the output of:
	sudo openssl x509 -in /etc/ejabberd/ejabberd.pem -noout -text

[3] http://www.jabber.ru/bugzilla/show_bug.cgi?id=46

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://pidgin.im/cgi-bin/mailman/private/cabal/attachments/20061217/fe978805/attachment.pgp

More information about the Cabal mailing list