ssl client auth update

Lucas Fisher lucas.fisher at
Mon Nov 28 22:33:31 EST 2011

Sure no problem. Yes, that is the branch I have been working on.

XMPP secures its connection with SSL/TLS (same encryption protocol
used for HTTP). My change allow one to use a certificate and key to
authenticate to the XMPP server when using SSL/TLS instead of a
password. While this isn't all that common on the Internet, it is used
in corporate environments where each employee is issued a certificate
that they can use to authenticate to web and other services. It is
similar to using keys with SSH but a different format and slightly
different security model.

This follows these XMPP extensions:,

XMPP certificate authentication does make use of the SASL external mechanism.

I know of two servers supported certificate authentication: Openfire
and the Jabber Inc (now Cisco) server.
I posted a basic how-to for setting up Openfire:

Some of the high level changes:
- Add APIs for handling private keys, and PKCS12 files (what you get
when you export your certs from a browser or what is usually
distributed to users)
- Add support to the gnutls ssl plugin for:
    - sending a certificate when it is request from the server
    - import/export private keys
    - import/export PKCS12 files
- Add support to the Pidgin certificate manager for dealing with
personal certificates
- Add options to the XMPP protocol plugin for choosing a certificate
for authentication. This required making the protocol account options
dynamic instead of only being created as startup.
- Enable SASL external in the Cyrus SASL code
- Add support to the certificate API for saving/loading certificate
chains rather than just individual certificates.
- Change ssl connection to specify the certificate to use for authentication

My API additions are found in privatekey.h, certificate.h, pkcs12.h,
prpl.h (PurplePluginProtocolInfo), There are a number of other changes

On Mon, Nov 28, 2011 at 1:41 AM, Mark Doliner <mark at> wrote:
> Hey Lucas.  I don't know if I'll have time to look at this branch, and
> I'm probably not the best person to look at it, but I wonder if you
> could provide a little more information.  Not just for my benefit, but
> for anyone who might be interested in testing or reviewing this code.
> Is this the branch in question?
> im.pidgin.cpw.ljfisher.ssl_client_auth
> I haven't been following your emails very closely (sorry), I wonder if
> you could provide a description in your own words of what client side
> auth is and when it would be used.  It sounds like maybe it allows
> users to authentication to XMPP servers using public/private keys,
> similar to ssh?  Is this a standard auth mechanism for XMPP?  Or for
> SASL?  Do many XMPP servers support it?
> Thanks, and sorry we haven't been able to give you the attention you deserve :-(
> Mark

More information about the Devel mailing list