• 5
name

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191

Backtrace:

File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

name Punditsdkoslkdosdkoskdo

ejabberd STARTTLS setup on port 5222

I just installed and setup the docker ejabberd/ecs image on an ubuntu 20.04 aws instance.

I have ports, domain name and users setup and working.

On the host (ubuntu) I generated Let's Encrypt certificates with certbot, copied them on the docker container:

certfiles:               
  - /home/ejabberd/conf/fullchain.pem
  - /home/ejabberd/conf/privkey.pem  

ca_file: "/home/ejabberd/conf/fullchain.pem"

I want to require my users to use only a secure connection.

I read on the documentation that I'd better use STARTTLS instead of TLS.

The problem is that ejabberd seems to use my certificates only when setting up TLS.

When I set the config like this:

listen:
  -
    port: 5222
    ip: "::"
    module: ejabberd_c2s
    max_stanza_size: 262144
    shaper: c2s_shaper
    access: c2s
    tls: true
...
  -                                                                      
    port: 5280                                                           
    ip: "::"                                                             
    module: ejabberd_http                                                
    tls: true                                             
    request_handlers:                                     
      "/admin": ejabberd_web_admin 

and reload the config bin/ejabbedctl reload_config, then I can access https://example.com:5280/admin/ using ssl.

And when I test the certificate using openssl from another machine, it seems to work because I get the following:

openssl s_client -connect example.com:5222
CONNECTED(00000005)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = example.com
verify return:1
---
Certificate chain
 0 s:CN = example.com
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
...

But when I use, as I should from what I understand, starttls and starttls_required:

listen:
  -
    port: 5222
    ip: "::"
    module: ejabberd_c2s
    max_stanza_size: 262144
    shaper: c2s_shaper
    access: c2s
    starttls: true
    starttls_required: true

Then ejabberd does not seem to use a secure connection on port 5222:

openssl s_client -connect example.com:5222
CONNECTED(00000005)
140324192997824:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 315 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Any idea what I could do to fix this?

To make the connection secure, you need to specify tls: true in the listener. For example in the config below both ports 5222 and 5223 have the same settings, but 5223 also includes tls: true. Thanks to that your openssl test will detect secure connection on port 5223 but not on 5222.

  -
    port: 5222
    ip: "::"
    module: ejabberd_c2s
    max_stanza_size: 262144
    shaper: c2s_shaper
    access: c2s
    starttls_required: true
  -
    port: 5223
    ip: "::"
    tls: true
    module: ejabberd_c2s
    max_stanza_size: 262144
    shaper: c2s_shaper
    access: c2s
    starttls_required: true

As a side note, if still in trouble please try changing ca_file to ca_file: "/home/ejabberd/conf/cacert.pem" assuming cacert.pem is the file created by the ejabberd installer and not your LE.

  • 0
Reply Report
      • 1
    • The unencrypted label, if it appears within the client app windows, is most likely related to the fact that this specific message wasn't encrypted using OMEMO. Different clients show it differently, some show a padlock for OMEMO messages.
      • 1
    • Thank you! As a side question, in profanity client I connect on port 5223 with tls force to use TLS encryption, but on a chat with other users, I also see unencrypted, does it has to do with OTR or OMEMO or other similar end to end encryptions, or is it that my connection is still not encrypted by the LE certificates?

Trending Tags