Signed certificate by StartCom for Openfire

Répondre
clement
Administrateur du site
Messages : 2020
Inscription : lun. 13 déc. 2004 23:00
Localisation : Grenoble, France
Contact :

Signed certificate by StartCom for Openfire

Message par clement » dim. 25 sept. 2016 09:37

Hello,

As no up to date howto is written to add a signed certificate, here a Class 1 signed by StartCom, through StartSSL, to Openfire, and because I succeed to do it, I wrote a small howto.

First, generate your certificate. In my case, I use RSA 4096

Code : Tout sélectionner

openssl req -newkey rsa:4096 -keyout openfire.key -out openfire.csr

openfire.key and openfire.csr are just examples. Login StartCom, valid the domain (Validation Wizard) if not done already, then go to the Certificates Wizard tab, select Web Server SSL/TLS Certificate and enter the domains. My Openfire server is openfire.forumanalogue.fr but the JID only have forumanalogue.fr. I am not sure which domains should be putted. I gave both
openfire.forumanalogue.fr,forumanalogue.fr
In the Certificate Signing Request (CSR), select Generated by Myself (.cer PEM format certificate), copy/paste the content of the file openfire.csr and finally Submit. The next step is to download the archive containing the signed certificate. The name of the file is the common name of this certificate with the extension .zip, in my case openfire.forumanalogue.fr.zip. Extract the file OtherServer.zip. It contains three files
1_Intermediate.crt 2_openfire.forumanalogue.fr.crt root.crt
Time for the tricky part, generate the correct certificate chain

Code : Tout sélectionner

cat 2_openfire.forumanalogue.fr.crt 1_Intermediate.crt root.crt > openfire.crt

I spend hours to figure this out, other howtos does not give this information and you/they end up with misformed/invalid certificate. It is thanks to this answer that I managed to make it work. It is time to send the files on the Openfire server. I am not sure you need all of them, but send them in case. Send
2_openfire.forumanalogue.fr.crt 1_Intermediate.crt root.crt openfire.crt openfire.key 1_root_bundle.crt
The latter can be found in the archive ApacheServer.zip of the archive downloaded from StartSSL.

The next step is to remove the self-signed certificates. Login to your Openfire Admin Console, go to the tab Server, TLS/SSL Certificates, then go to the first Manage Store Contents link. Remove both RSA and DSA self-signed certificates.

Now, connect to your Openfire server, e.g. through ssh. You need to find the folder security of Openfire. On Ubuntu 16.04 LTS Xenial, it is located in
/etc/openfire/security
It should contain the following files
keystore truststore
I am not sure it is required, but I think you need to add StartCom as a trusted Certificate Authority. The second thing that I am not sure is what file to use, so just run all these commands until it will work eventually, and make sure to add the correct path to the security folder
keytool -import -keystore /etc/openfire/security/truststore -trustcacerts -file root.crt
keytool -import -keystore /etc/openfire/security/truststore -trustcacerts -file 1_Intermediate.crt
keytool -import -keystore /etc/openfire/security/truststore -trustcacerts -file 1_root_bundle.crt

The keystore issue has fixed in Openfire 4.0.3.
Using the information, in German, in this page, I understood how to add the certificate to Openfire. You need to generate a new file using openssl

Code : Tout sélectionner

openssl pkcs12 -export -in openfire.crt -inkey openfire.key -out forumanalogue.fr.pkcs12 -name forumanalogue.fr

First, you will need to enter the password that you choose for the private key. The second password needs to be changeit unless you know what you are doing because you change the keystore password. (Almost) last but not least, add the signed certificate to Openfire, make sure to change the path and the domain name and make sure to not change the password changeit unless you know what you are doing

Code : Tout sélectionner

keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore /etc/openfire/security/keystore -srckeystore forumanalogue.fr.pkcs12 -srcstoretype PKCS12 -srcstorepass changeit -alias forumanalogue.fr

Restart Openfire

Code : Tout sélectionner

service openfire restart

and test your security.

By default, you will have a grade B score and you are subject to Diffie-Hellman vulnerability. To fix this, you need to forbid 1024bit Elliptic Curve Diffie-Hellman (ECDH). Open the java security file, on Ubuntu with Oracle java 8, /usr/lib/jvm/java-8-oracle/jre/lib/security/java.security and add or modify the line as follow
jdk.tls.ephemeralDHKeySize=2048
Now, tell Openfire to take into account this modification. In the file /etc/default/openfire modify the line as follow
DAEMON_OPTS="-Djdk.tls.ephemeralDHKeySize=2048"
The source of this trick is in this page.

You can improve a bit more the security by desabeling weak algorithms. Open the java security file, on Ubuntu with Oracle java 8, /usr/lib/jvm/java-8-oracle/jre/lib/security/java.security and modify the lines as follow
jdk.certpath.disabledAlgorithms=MD2, MD5, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, SSL_DH_anon_WITH_3DES_EDE_CBC_SHA, SSL_DH_anon_WITH_DES_CBC_SHA, SSL_DH_anon_WITH_RC4_128_MD5, SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DH_DSS_WITH_DES_CBC_SHA, SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DH_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA, SSL_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_RC4_128_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, SSL_FORTEZZA_DMS_WITH_NULL_SHA, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_WITH_IDEA_CBC_SHA, SSL_RSA_WITH_NULL_MD5, SSL_RSA_WITH_NULL_SHA, SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_DH_anon_EXPORT_WITH_RC4_40_MD5, SSL_DH_anon_WITH_RC4_128_MD5, SSL_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA, SSL_DHE_DSS_WITH_RC4_128_SHA, TLS_DHE_PSK_WITH_RC4_128_SHA, TLS_ECDH_anon_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_PSK_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_KRB5_EXPORT_WITH_RC4_40_MD5, TLS_KRB5_EXPORT_WITH_RC4_40_SHA, TLS_KRB5_WITH_RC4_128_MD5, TLS_KRB5_WITH_RC4_128_SHA, TLS_PSK_WITH_RC4_128_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT1024_WITH_RC4_56_SHA, TLS_RSA_PSK_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSLv3, MD5, DSA, RSA keysize < 2048, RC4, MD5withRSA, DH keySize < 2048

These two lines need improvement. I am open to suggestions. It is inspired by this page.

There are some approximations and uncertainty in this howto because it took me a lot of work and trials, so I am not sure all the time which command eventually worked.

This page needs improvement, please give me your feedbacks and ask your questions if needed.

Répondre