As no up to date howto is written to add a signed certificate, here a Class 1 signed by StartCom, through StartSSL, to Openfire, and because I succeed to do it, I wrote a small howto.
First, generate your certificate. In my case, I use RSA 4096
Code : Tout sélectionner
openssl req -newkey rsa:4096 -keyout openfire.key -out openfire.csr
openfire.forumanalogue.fr,forumanalogue.fr
In the Certificate Signing Request (CSR), select Generated by Myself (.cer PEM format certificate), copy/paste the content of the file openfire.csr and finally Submit. The next step is to download the archive containing the signed certificate. The name of the file is the common name of this certificate with the extension .zip, in my case openfire.forumanalogue.fr.zip. Extract the file OtherServer.zip. It contains three files
1_Intermediate.crt 2_openfire.forumanalogue.fr.crt root.crt
Time for the tricky part, generate the correct certificate chain
Code : Tout sélectionner
cat 2_openfire.forumanalogue.fr.crt 1_Intermediate.crt root.crt > openfire.crt
2_openfire.forumanalogue.fr.crt 1_Intermediate.crt root.crt openfire.crt openfire.key 1_root_bundle.crt
The latter can be found in the archive ApacheServer.zip of the archive downloaded from StartSSL.
The next step is to remove the self-signed certificates. Login to your Openfire Admin Console, go to the tab Server, TLS/SSL Certificates, then go to the first Manage Store Contents link. Remove both RSA and DSA self-signed certificates.
Now, connect to your Openfire server, e.g. through ssh. You need to find the folder security of Openfire. On Ubuntu 16.04 LTS Xenial, it is located in
/etc/openfire/security
It should contain the following files
keystore truststore
I am not sure it is required, but I think you need to add StartCom as a trusted Certificate Authority. The second thing that I am not sure is what file to use, so just run all these commands until it will work eventually, and make sure to add the correct path to the security folder
keytool -import -keystore /etc/openfire/security/truststore -trustcacerts -file root.crt
keytool -import -keystore /etc/openfire/security/truststore -trustcacerts -file 1_Intermediate.crt
keytool -import -keystore /etc/openfire/security/truststore -trustcacerts -file 1_root_bundle.crt
The keystore issue has fixed in Openfire 4.0.3.
Using the information, in German, in this page, I understood how to add the certificate to Openfire. You need to generate a new file using openssl
Code : Tout sélectionner
openssl pkcs12 -export -in openfire.crt -inkey openfire.key -out forumanalogue.fr.pkcs12 -name forumanalogue.fr
Code : Tout sélectionner
keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore /etc/openfire/security/keystore -srckeystore forumanalogue.fr.pkcs12 -srcstoretype PKCS12 -srcstorepass changeit -alias forumanalogue.fr
Code : Tout sélectionner
service openfire restart
By default, you will have a grade B score and you are subject to Diffie-Hellman vulnerability. To fix this, you need to forbid 1024bit Elliptic Curve Diffie-Hellman (ECDH). Open the java security file, on Ubuntu with Oracle java 8, /usr/lib/jvm/java-8-oracle/jre/lib/security/java.security and add or modify the line as follow
jdk.tls.ephemeralDHKeySize=2048
Now, tell Openfire to take into account this modification. In the file /etc/default/openfire modify the line as follow
DAEMON_OPTS="-Djdk.tls.ephemeralDHKeySize=2048"
The source of this trick is in this page.
You can improve a bit more the security by desabeling weak algorithms. Open the java security file, on Ubuntu with Oracle java 8, /usr/lib/jvm/java-8-oracle/jre/lib/security/java.security and modify the lines as follow
jdk.certpath.disabledAlgorithms=MD2, MD5, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_DH_anon_WITH_RC4_128_MD5, SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DH_DSS_WITH_DES_CBC_SHA, SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DH_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, SSL_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_RC4_128_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, SSL_FORTEZZA_DMS_WITH_NULL_SHA, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_WITH_IDEA_CBC_SHA, SSL_RSA_WITH_NULL_MD5, SSL_RSA_WITH_NULL_SHA, SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, SSL_DH_anon_WITH_RC4_128_MD5, SSL_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, SSL_DHE_DSS_WITH_RC4_128_SHA, TLS_DHE_PSK_WITH_RC4_128_SHA, TLS_ECDH_anon_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_PSK_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_KRB5_EXPORT_WITH_RC4_40_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA, TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_RC4_128_SHA, TLS_PSK_WITH_RC4_128_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT1024_WITH_RC4_56_SHA, TLS_RSA_PSK_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSLv3, MD5, DSA, RSA keysize < 2048, RC4, MD5withRSA, DH keySize < 2048
These two lines need improvement. I am open to suggestions. It is inspired by this page.
There are some approximations and uncertainty in this howto because it took me a lot of work and trials, so I am not sure all the time which command eventually worked.
This page needs improvement, please give me your feedbacks and ask your questions if needed.