Client certificates

Bug #240603 reported by sander
Affects Status Importance Assigned to Milestone

Bug Description

Support for client certificates would be cool. AFAIK there
is no server yet that supports this, but it would become a very
interesting feature once there are such servers. With a client
certificate, the server verifies the certificate of a client before it
allows a connection. If the certificate is invalid or revoked, the
connection is aborted before it even is established.

This feature could be very useful in a scenario to prevent abuse:
1) The server admin sells self-signed client certificates for his
server for a very small amount (micro payments)
2) The server only allows connections from clients that have a valid certificate
3) If people want multiple account they have to buy more certificates
4) If people start to abuse the server (e.g. spam), the server admin
simply revokes their certificate(s) so that it becomes invalid. No
connection can be made with that certificate any more.
5) In order to connect again to the server, the abuser would have to
buy a new certificate.

--> Advantages:
1) Good users only have to pay a small one-time fee to get a reliable
spam-free service
2) Admins get a small source of funding to pay the hosting bill
3) Bad users who need to have multiple accounts, need to buy multiple
certificates *and* their certificates get revoked so that they have to
pay new ones-->Abuse gets very expensive!

sander (s-devrieze)
Changed in coccinella:
assignee: nobody → matsben
importance: Undecided → Wishlist
Revision history for this message
sander (s-devrieze) wrote :
Revision history for this message
Nicolas (nicolasfr) wrote :

In fact there is at least one server which supports client certificates:
Openfire is a Jabber server which supports client based SSL authentication:

The latest spark client (beta 2.6.0 - java, open source) from the same company supports this feature.

I believe OS X iChat Server (based on jabberd?) also supports client based SSL authentication (I will do some tests in the next weeks).

buzzdee (sebastia)
Changed in coccinella:
milestone: none → 0.96.20
assignee: Mats (matsben) → buzzdee (sebastia)
Revision history for this message
buzzdee (sebastia) wrote :

svn revision #2797 implementing the client side server certificate verification, see bug #551811 should also contain the stuff to enable server side client certificate verification.
The user can specify client certificate and key, to be sent to the server, in order to verify the client.

Still needs to be tested, unfortunately ejabberd doesn't seem to provide such a feature.
openfire is installed, still need to figure out how to configure openfire to enable client certificate checks ;)

Is there another server implementation supporting client certificate verification?

Revision history for this message
buzzdee (sebastia) wrote :

I seem to have some problems with the java jce getting openfire to accept my certiifcate on openbsd, but I saw, jabberd2 has a patch applied some days ago, that also enabled client certificate validation:

Revision history for this message
buzzdee (sebastia) wrote :

XEP-0178: Best Practices for Use of SASL EXTERNAL with Certificates

Revision history for this message
buzzdee (sebastia) wrote :

Also, the trunk version of gajim also supports sasl-external now:, will wait for an updated version to try against a demo server:
We have a demo server at running jabberd with this patch. (note: I commented out the CRL checking). A tutorial and some utils for the cert generation can be found here, as long a debian lenny backported package: . There is also a django app that handles user registration and cert generation (a bit insecure now, since the client key generation is done server side).

buzzdee (sebastia)
Changed in coccinella:
milestone: 0.96.20 → 0.96.22
Revision history for this message
buzzdee (sebastia) wrote :

on OpenBSD -current, gajim is at version 0.14, so I can check how it works with gajim, to see what coccinella still missing here.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.