Forum Replies Created

Viewing 10 posts - 1 through 10 (of 10 total)
  • Author
    Posts
  • in reply to: iChat SSL help needed! #371086
    drighi
    Participant

    What if you comment out the cachain completely in c2s.xml for Jabber. Does it work then? And, does SSL over 443 for the web work. I suspect it does, as Apache is apparently very forgiving!

    in reply to: iChat SSL help needed! #371058
    drighi
    Participant

    Use s_client and do a test connection to port 5223 and post the results here please!

    -D

    in reply to: Best vector of attack – Blogs, Wikis, etc. #371056
    drighi
    Participant

    [i][quote]Augmented records were created for exactly the purpose you’re looking to use them. In the case of the wiki and the blog, the clients have no need of them, just the server itself. Which in this case is acting as a directory service “client.”[/quote][/i]

    This is what I sort of thought. But, I don’t understand in what directory on the server it all comes together on. Do I configure the OS X server like the client in your paper? I ask because I’d think that the OS X server as also a source of data — the stub we need. (Gotta figure out what chunks we need for that, too. Probably the collaboration chunk, etc)

    [i][quote]Read through our article on augments, see if you can get it to work by hand. There’s nothing from your description of your setup that would prevent it from having the effect you’re looking for.[/quote][/i]

    Now that is an encouraging statement! Where would you begin here? I’m having a tough time conceptualizing where everything will go. Where does th stub come from? That’s the biggest question I have.

    [i][quote]If you can get it to work by hand, you should be able to get the Novell ID manager to create and remove the augment stub from OD as the users are created and removed.[/quote][/i]

    It would create it on the OD Server directory, not eDirectory, right?

    [i][quote]Also.. you’ll most likely need to enable plaintext authentication to the blog and wiki to work with Novell.[/quote][/i]

    Done.

    [i][quote]Try it first without touching things, maybe the stars will align and MD5 hashes will work, but be prepared to read the Apple Kbases on using the blog and wiki with AD.
    [/quote][/i]

    Well, I had to disable cram-md5 for iChat to work through OD, so I assume this will be the same issue.

    -D

    in reply to: iChat SSL help needed! #371053
    drighi
    Participant

    You’re right on that! Drove me crazy. 😡

    in reply to: iChat SSL help needed! #371039
    drighi
    Participant

    Well, I’m so SSL expert. I’m not sure. What you should do is look in /etc/certificates and look at your private key and see if it’s encrypted or not. If it’s not, then continue through the rest of the steps, make yourself a new .crtkey, tell iChat server to use that in /etc/jabberd/c2s/xml and see what happens.

    If it’s encrypted then you’ll need a passphrase. I suspect this won’t be the case.

    Remember, Apache is very tolerant, will use encrypted keys, etc. Jabber2 won’t!!!

    -D

    in reply to: iChat SSL help needed! #371031
    drighi
    Participant

    Here’s how to get iChat Server working with a real SSL cert. Also, in my case users come from Open Directory (on a Novell eDirectory directory). So this solution kills 2 birds with one stone.

    1. Set up your server, in my case a new install. Install updates NOW, not later!!!!!!!
    2. In Server Admin, clicked Certificates, then the + sign to create a new cert.
    3. Fill in appropriate info, such as Common Name (DNS name of your server!), Organizational Unit, etc.
    4. Enter a 24 character passphrase. (Good security please!)
    5. Click Save, then second middle button to create a CSR.
    6. Drag the CSR icon into the place for the CSR on the thawte(Verisign, whatever) request page. Or email the CSR to them.
    7. Verify the CSR on the thawte(Verisign, whatever you’re using) site. The information should match what you entered for Common Name, etc.
    8. Submit it to them for signing; get the reply from them.
    9. Go back into server admin | Certificates, select the my.domain.com cert, click the button and select “import signed…”
    10. Paste the response from thawte(Verisign, whatever) in there, then click save.

    You should now see that the cert is trusted and the certifying authority (thawte, etc) listed, where it used to say Self-signed.

    Fire up web services and see if it your new cert works for web. If it does, continue on.

    Your new cert may or may not work for Jabber. If it does, well you’re done. If it doesn’t…

    1. Ensure you’ve selected the cert for iChat in Server admin. (I know, it doesn’t work yet.)
    2. Either Remote Desktop to your server and open Terminal or ssh in and get a prompt. BECOME ROOT!! sudo su –
    3. Take a look in /etc/certificates.
    4. You should see a my.domain.com.key file and a my.domain.com.crt file.

    Now using vi, pico, or whatever look at the .key file. Do you see DES encryption lines in there? If you do, your private key is encrypted with your passphrase.

    5. Make a copy of my.domain.com.key (Let’s call it my.domain.com.jb)
    5a. Make a copy of my.domain.com.crt (Let’s call it my.domain.com.crt.jb
    6. Decrypt the private key: (Remember you’re root!) openssl rsa -in my.domain.com.jb -out my.domain.com.jb
    It will ask you for your passphrase.
    7. Create a new file containing your public key (my.domain.com.crt), and combine with the decrypted private key (my.domain.com.jb):

    cat my.domain.com.jb >> my.domain.com.crt.jb

    8. Rename my.domain.com.crt.jb to my.domain.com.crtkey.jb
    9. Change ownership of my.domain.com.crtkey.jb to root:jabber ( chown root:jabber my.domain.com.crtkey)

    Not done yet….

    10. Change perms / ownership of my.domain.com.jb to match your original .key file.

    EDIT /etc/jabberd/c2s.xml

    1. Amend the settings in the local section (under the ssl-port 5223 line) to:

    /etc/certificates/my.domain.com.crtkey.jb

    1a. I also commented out the cachain line in that area. You may not need to but I did.

    2. No matter how tempting, do NOT touch anything else at this time. Trust me.
    Leave the 0.0.0.0 IP’s alone; where you see your Default cert, leave it be!

    Done editing.

    3. Restart ichat service (don’t touch the settings in the Admin application)

    On the iChat client set connect using SSL, port 5223.
    All should work.

    To get OD logins to work, comment out cram-md5 authentication, like this:

    Hopefully the code comes out in the pose there. If not, it’s the fix from the Apple:
    http://docs.info.apple.com/article.html?artnum=306749 (option 2)

    Thanks to MacTroll from AFP548, and Tim Harris at Apple Discussions for their collective pieces in solving this!!

    in reply to: iChat SSL help needed! #371001
    drighi
    Participant

    Got it to work!

    Had to:

    Decrypt the private key.

    Create a new file containing the public key, and add the decrypted private key to it.

    Point c2s.xml to the original cachain but to the new file in the section.

    Then to get OD logins to work, comment out cram-md5 authentication.

    Will document this much nicer later this week and post. Gotta run!

    Thanks all for your help!

    -D

    in reply to: iChat SSL help needed! #370999
    drighi
    Participant

    MacTroll,

    AHA!

    Check this out. I removed some characters for security reasons in the certificates, etc.

    $ openssl s_client -connect chat.northampton.edu:443

    CONNECTED(00000003)
    depth=1 /C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/[email protected]
    verify error:num=19:self signed certificate in certificate chain
    verify return:0

    Certificate chain
    0 s:/C=US/ST=Pennsylvania/L=Bethlehem/O=Northampton Community College/OU=COMPUTER SERVICES/CN=chat.northampton.edu
    i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/[email protected]
    1 s:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/[email protected]
    i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/[email protected]

    Server certificate
    —–BEGIN CERTIFICATE—–
    MIIDlzCCAwCgAwIBAgIQXMDAtsyXL3IOIzynH45lXTANBgkqhkiG9w0BAQUFADCB
    zjELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJ
    Q2FwZSBUb3duMR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UE
    CxMfQ2VydGlmaWNhdGbiBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhh
    d3RlIFByZW1pdW0gU2VydmVyIENBMSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNl
    cnZlckB0aGF3dGUuY29tMB4XDTA4MDEwNzAwMDAwMFoXDTA4MTEwODIzNTk1OVow
    gZsxCzAJBgNVBAYTAlVTMRUwEwYDQIEwxQZW5uc3lsdmFuaWExEjAQBgNVBAcT
    CUJldGhsZWhlbTEmMCQGA1UEChMdTm9ydGhhbXB0b24gQ29tbXVuaXR5IENvbGxl
    Z2UxGjAYBgNVBAsTEUNPTVBVVEVSIFNFUlZJQ0VTMR0wGwYDVQQDExRjaGF0Lm5v
    cnRoYW1wdG9uLmVkdTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwtOB+Cbs
    JY8Vo2Zgn7GNMvccwHfTplVkIPiJAt1vX/nvMH4roO6++Ytw4m3P/qF/wy+QRj
    nVz2USKMxwnI/N1B/lroVQYEpAnbOQd7/427z8IBMHqSSg1iKi8W1EObYm8xTntF
    EOCAFf5Viphmca/GApsUrzh1d6jYlTJJ0HECAwEAAaOBpjCBozAMBgNVHRMBAf8E
    AjAAMEAGA1UdHwQ5MDcwNaAzoDGGL2h0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3
    dGVTZXJ2ZXJQcmVtaXVtQ0EuY3JsMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
    BQcDAjAyBggrBgBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLnRo
    YXd0ZS5jb20wDQYJKoZIhvcNAQEFBDgYEAFiQCC7vn2O2J+TbohbIdwOVgTINw
    Az2AYJvxXFKpMF5uOCe3On5BnoymJYj4rBVSjI95wugxyKcDTtkVS4rZDyhKzNQw
    tdXE3Fg8Y+tEasEbTl45cGuv/qboIvoogPRNrQb/IjyTYaLYgmkkTJhgJZbN8RSn
    UHA6W3S9m4JZ/Do=
    —–END CERTIFICATE—–
    subject=/C=US/ST=Pennsylvania/L=Bethlehem/O=Northampton Community College/OU=COMPUTER SERVICES/CN=chat.northampton.edu
    issuer=/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/[email protected]

    No client certificate CA names sent

    SSL handshake has read 2301 bytes and written 316 bytes

    New, TLSv1/SSLv3, Cipher is DH-RSA-A256-A
    Server public key is 1024 bit
    SSL-Session:
    Protocol : TLSv1
    Cipher : DHE-RSA-AES256-SHA
    Session-ID: 86884CE2DC9EC87F810D1CCFC230399E19AEE27
    Session-ID-cx:
    Master-Key: ECA51D388715FCC5CCAD9109248E
    Key-Arg : None
    Start Time: 1199796830
    Timeout : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)

    So, how do I fix it? The article looks like its for a different situation. This is all internal to my server. Need to get the self-signed cert out of my chain right??

    Let me document how I got the thawte cert:

    1. Set up server, new install.
    2. In Server Admin, clicked Certificates, then the + sign to create a new cert.
    3. Filled in appropriate info, such as Common Name, Organizational Unit, etc.
    4. Entered a 24 character passphrase.
    5. Clicked Save, then second middle button to create a CSR.
    6. Dragged the CSR icon into the place for the CSR on the thawte request page.
    7. Verified the CSR on the thawte page.
    8. Submitted, got the reply the next day.
    9. Went back into server admin, selected the chat.northampton.edu cert, clicked the button and selected “import signed…”
    10. Pasted the response from thawte in there, then clicked save.

    All looked great then. Enabled on my servers default site for Apache, and browsers see it just fine and the cert info comes down to the browsers great. However, using s_client we see this error 19 problem which I believe is the issue.

    On a separate note, anybody get Leopard iChat client working with Leopard Server? Even using the Default cert it doesn’t work, but windows clients on Neosmt can login. If it helps, users on the server come from a Novell eDirectory Server via LDAP.

    -Damian

    in reply to: iChat SSL help needed! #370998
    drighi
    Participant

    All,

    The thawte SSL Cert works perfectly for Web Server, just tested it. If I set the cert for iChat to be Default, that also works (overs SSL, but with the warning message. I know that I can import the Default cert to my clients but we need to use a real cert here).

    I rebuilt the server and got my cert reissued from Thawte, new CSR, etc. Same problem. Am going to look at s_client now and see what I can come up with. Is there a possibility that the ApacheSSL cert from thawte doesn’t work with Jabberd2?

    If so, what cert should I be getting? I feel like I’m grabbing at straws here…

    😐

    in reply to: iChat SSL help needed! #370982
    drighi
    Participant

    Can you tell me a little more on how that is done? It did import the cert and showed as signed by thawte when I imported it after getting the response from thawte.

    -D

Viewing 10 posts - 1 through 10 (of 10 total)