如何配置Tigase的SSL/TLS证书?

XMPP

1 基础知识

1.1 证书的基础知识

如果你不熟悉证书的相关知识,请参阅以下链接学习,
https://www.cmdschool.org/archives/7778

1.2 启用SSL/TLS证书的方法

– Tigase服务开启SSL或TLS通道的安全连接,需要从以下三种方法选择一种创建证书,
— 创建并加载pem文件的服务器证书
— Linux中安装StartCom证书
— 使用Keytool和Keystore创建Java服务器证书
– 创建证书后,SSL证书启用于5223端口的XMPP服务(官方使用默认证书开启,可自行更换自有证书)
– 创建证书后,TLS证书启用于5222端口的XMPP服务(官方使用默认证书开启,可自行更换自有证书,默认不强制TLS链接)
– TLS的证书通过修改以下配置文件的参数控制,

vim /etc/tigase/init.properties

通过以下默认参数启用TLS安全连接,

--sm-plugins=+starttls

如果需要禁用TLS安全连接,请使用如下方式声明,

--sm-plugins=-starttls

如果需要强制TLS安全连接,请使用如下参数声明,

--vhost-tls-required=true

1.3 创建证书的可选手法

– 可选创建自签名证书(建议用于调试环境)
– 可选创建由信任CA颁发的证书(建议用于生产环境)
注:Tigase 5.0.0及更高版本会自动为服务器配置自签名证书

1.4 PEM证书的创建与加载

1.4.1 创建PEM的规则

– PEM文件应包含服务器公钥证书
– PEM文件应包含服务器私钥证书
– PEM文件应包含证书链(即证中间证书,适用于CA颁发的证书才需要)
– PEM文件官方建议按域服务器公钥证书、服务器私钥证书、CA颁发的证书链、CA颁发的根证书的顺序排列
– PEM文件Tigase服务在加载时会自动对PEM文件中的证书进行排序
注:以上证书使用“cat”命令输出到“pem”后缀的文件

1.4.2 创建PEM证书的范例

1.4.2.1 创建自签名证书的范例

cat yourdomain.com.crt yourdomain.com.key > yourdomain.com.pem

1.4.2.2 创建第三方证书的范例

cat yourdomain.com.crt yourdomain.com.key sub.class1.xmpp.ca.crt ca.crt > yourdomain.com.pem

创建证书后,使用以下命令查看证书,

cat yourdomain.com.pem

可见如下显示,

-----BEGIN CERTIFICATE-----
MIIG/TCCBeWgAwIBAgIDAOwZMA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
[...]
pSLqw/PmSLSmUNIr8yQnhy4=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
WW91J3JlIGtpZGRpbmchISEKSSBkb24ndCBzaG93IHlvdSBvdXIgcHJpdmF0ZSBr
[...]
ZXkhISEhCkNyZWF0ZSB5b3VyIG93biA7KSA7KSA7KQo=
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIHyTCCBbGgAwIBAgIBATANBgkqhkiG9w0BAQUFADB9MQswCQYDVQQGEwJJTDEW
[...]
xV/stleh
-----END CERTIFICATE-----

注:“[…]”表示省略

1.4.3 PEM证书的加载方法

– Tigase包含5.1.0版本内的更高版本,无需外部库和修改“init.properties”文件即可支持PEM证书加载
– Tigase需要为每个虚拟域创建一个单独的PEM文件
– Tigase的PEM文件需要存放于Tigase安装目录的“certs”文件夹,例如“/usr/tigase/certs/”
– Tigase会自动加载“certs”文件夹的证书

1.5 Keytool和Keystore的创建与加载

1.5.1 创建自签名证书的范例

keytool -genkey -alias yourdomain -keystore rsa-keystore -keyalg RSA -sigalg MD5withRSA

注:
– 普通情况“yourdomain”用自有域名代替,如自有域为“cmdschool.org”,则“yourdomain”替换为“cmdschool.org”
– 如果有多个域名(虚拟域),如“cmdschool.org”或“tigase.cmdschool.org”,则可为每个虚拟域创建单独的证书
– 如需“yourdomain”代表多域,如“cmdschool.org”和“tigase.cmdschool.org”则“yourdomain”替换为“default”

1.5.2 创建第三方证书的范例

1.5.2.1 创建证书申请

keytool -certreq -alias yourdomain -keystore rsa-keystore

注:
– 普通情况“yourdomain”用自有域名代替,如自有域为“cmdschool.org”,则“yourdomain”替换为“cmdschool.org”
– 如果有多个域名(虚拟域),如“cmdschool.org”或“tigase.cmdschool.org”,则可为每个虚拟域创建单独的证书
– 如需“yourdomain”代表多域,如“cmdschool.org”和“tigase.cmdschool.org”则“yourdomain”替换为“default”
可使用以下命令验证生成的证书,

cat rsa-keystore

可见类似如下显示,

-----BEGIN NEW CERTIFICATE REQUEST-----
[...]
-----END NEW CERTIFICATE REQUEST-----

以上创建的证书文件用于向CA发起证书请求,如果你通过以下命令查看证书,

cat your-certificate.cer

一般返回的证书内容如下,

-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----

1.5.2.2 导入CA的root证书

keytool -import -keystore rsa-keystore -file rootCA.cer

注:CA的root证书需要自行到CA的官方网站下载

1.5.2.3 导入CA颁发的证书

keytool -import -alias yourdomain -keystore rsa-keystore -file your-certificate.cer

注:
– 普通情况“yourdomain”用自有域名代替,如自有域为“cmdschool.org”,则“yourdomain”替换为“cmdschool.org”
– 如果有多个域名(虚拟域),如“cmdschool.org”或“tigase.cmdschool.org”,则可为每个虚拟域创建单独的证书
– 如需“yourdomain”代表多域,如“cmdschool.org”和“tigase.cmdschool.org”则“yourdomain”替换为“default”

1.5.3 Keystore证书的导入方法

官方并没有详细的方法步骤,此问题,尚待研究

2 PEM证书配置的最佳实践

2.1 准备环境

请按如下教程部署Tigase服务器端,
https://www.cmdschool.org/archives/2478

2.2 创建自签名证书

2.2.1 创建证书目录

mkdir ~/ca

2.2.2 创建私钥和请求证书

cd ~/ca
openssl req -nodes -new -newkey rsa:2048 -keyout cmdschool.org.key -out cmdschool.org.csr

创建证书的向导如下,

[...]
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Guangdong
Locality Name (eg, city) [Default City]:DG
Organization Name (eg, company) [Default Company Ltd]:cmdschool
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:cmdschool.org
Email Address []:will@cmdschool.org

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

使用如下命令查看生成的证书文件,

cd ~/ca
ls -l

可见如下显示,

total 8
-rw-r--r--. 1 root root 1054 Sep 24 11:21 cmdschool.org.csr
-rw-r--r--. 1 root root 1704 Sep 24 11:21 cmdschool.org.key

2.2.3 手动创建自签名证书

cd ~/ca
openssl x509 -req -days 365 -in cmdschool.org.csr -signkey cmdschool.org.key -out cmdschool.org.crt

2.3 配置Tigase的SSL/TLS证书

2.3.1 创建自签名PEM证书

cd ~/ca
cat cmdschool.org.crt cmdschool.org.key > cmdschool.org.pem

2.3.2 备份自带的PEM证书

mkdir /backup
cp -a /usr/tigase/certs/ /backup/

2.3.3 清理自带的PEM证书

rm -rf /usr/tigase/certs/*

2.3.4 部署SSL的自签名PEM证书

cd ~/ca
cp cmdschool.org.pem /usr/tigase/certs/default.pem

2.3.5 部署TLS的自签名PEM证书

cd ~/ca
cp cmdschool.org.pem /usr/tigase/certs/cmdschool.org.pem

2.3.6 重启服务使配置生效

/etc/init.d/tigased restart

2.4 测试Tigase的SSL/TLS证书

2.4.1 测试SSL证书

openssl s_client -connect cmdschool.org:5223 -CApath /etc/ssl/certs/

可见如下显示,

CONNECTED(00000003)
depth=0 C = CN, ST = Guangdong, L = DG, O = cmdschool, OU = it, CN = cmdschool.org, emailAddress = will@cmdschool.org
verify error:num=18:self signed certificate
verify return:1
depth=0 C = CN, ST = Guangdong, L = DG, O = cmdschool, OU = it, CN = cmdschool.org, emailAddress = will@cmdschool.org
verify return:1
---
Certificate chain
 0 s:/C=CN/ST=Guangdong/L=DG/O=cmdschool/OU=it/CN=cmdschool.org/emailAddress=will@cmdschool.org
   i:/C=CN/ST=Guangdong/L=DG/O=cmdschool/OU=it/CN=cmdschool.org/emailAddress=will@cmdschool.org
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDkjCCAnoCCQCSFOsxCn4yezANBgkqhkiG9w0BAQUFADCBijELMAkGA1UEBhMC
Q04xEjAQBgNVBAgMCUd1YW5nZG9uZzELMAkGA1UEBwwCREcxEjAQBgNVBAoMCWNt
ZHNjaG9vbDELMAkGA1UECwwCaXQxFjAUBgNVBAMMDWNtZHNjaG9vbC5vcmcxITAf
BgkqhkiG9w0BCQEWEndpbGxAY21kc2Nob29sLm9yZzAeFw0xOTA5MjQxNjUyMjJa
Fw0yMDA5MjMxNjUyMjJaMIGKMQswCQYDVQQGEwJDTjESMBAGA1UECAwJR3Vhbmdk
b25nMQswCQYDVQQHDAJERzESMBAGA1UECgwJY21kc2Nob29sMQswCQYDVQQLDAJp
dDEWMBQGA1UEAwwNY21kc2Nob29sLm9yZzEhMB8GCSqGSIb3DQEJARYSd2lsbEBj
bWRzY2hvb2wub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+Mwg
rri79R6PCU0gnAHorYRKzneIXW8zzUmlv/Vh1QPMOX2/XDIueo7h2mf68+YP+hL1
xVU8ytOVjKoE+UOQBmcDsjPR1ZuDY0T9SR3yVOyx5G5ZABxpEisdHRO7aMdivvRd
OdHg6IqCtCN2U/ouvzubejOpGwT5Ij4W5rASxf2lIl7Q7lvgPaot/VHplqOXO0O5
4UemBfl5oLWP2njfv4qV1EblqjgEV5T96JjD+dh+b30IDGIVhHSZSsSe5Flg19Sd
rFCwvZVfhRLXt2UoUwJfXAyDOfL7epzGAhBKcVerohOaAXdHt4beB54Owc3nDPNE
ussHQP6X+Zdc2IAFfQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQAjwpsbK4yF07hM
FN7/MwxBNAbo9XQQL+yrsTt5yJe2khcWQGY/ceOoITdhz7YZf/w4HajZCtDB4d0v
RVn3apb+AOArf1z0v2zx1CGLUZlWdShcRjbnYrIHv2YYDKiupnAaw1roddNtXYiQ
vQwLO0sWD49pIUJp7V63cR1WRs9v8dAptr31rR27JKK36FlwtSo8bLeuOpZsYJex
sfVes4aEIr1I16Tjs72smlzSA30x5AgVaAZxkdCPZwTGf4qMMNEDX3OAcpA2Of/p
XR0Fpyp9mwEhUDdk1OwASXMkscN8c9cc5qG6hnNKUPWNqTIvFut66GfwtT7g7slV
CXiF9PyP
-----END CERTIFICATE-----
subject=/C=CN/ST=Guangdong/L=DG/O=cmdschool/OU=it/CN=cmdschool.org/emailAddress=will@cmdschool.org
issuer=/C=CN/ST=Guangdong/L=DG/O=cmdschool/OU=it/CN=cmdschool.org/emailAddress=will@cmdschool.org
---
No client certificate CA names sent
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 1620 bytes and written 463 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES128-SHA
    Session-ID: 5D9DF5B7B384AB40349999D70C652056F459DEAB51B1560B3879EFA41D74CB45
    Session-ID-ctx:
    Master-Key: D8CD31892E6D1938A8B22BB7A1FF1ECC15101C7E3E0325445E8BC74D6FA2B9FAC426EFCEEC21A653B17779F0A7C2450E
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1570633143
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---

如果见到如下提示,则证书没有正确配置,

verify error:num=19:self signed certificate in certificate chain
verify return:0

2.4.2 测试TLS证书

openssl s_client -connect cmdschool.org:5222 -CApath /etc/ssl/certs/ -starttls xmpp

可见如下显示,

CONNECTED(00000003)
depth=0 C = CN, ST = Guangdong, L = DG, O = cmdschool, OU = it, CN = cmdschool.org, emailAddress = will@cmdschool.org
verify error:num=18:self signed certificate
verify return:1
depth=0 C = CN, ST = Guangdong, L = DG, O = cmdschool, OU = it, CN = cmdschool.org, emailAddress = will@cmdschool.org
verify return:1
---
Certificate chain
 0 s:/C=CN/ST=Guangdong/L=DG/O=cmdschool/OU=it/CN=cmdschool.org/emailAddress=will@cmdschool.org
   i:/C=CN/ST=Guangdong/L=DG/O=cmdschool/OU=it/CN=cmdschool.org/emailAddress=will@cmdschool.org
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDkjCCAnoCCQCSFOsxCn4yezANBgkqhkiG9w0BAQUFADCBijELMAkGA1UEBhMC
Q04xEjAQBgNVBAgMCUd1YW5nZG9uZzELMAkGA1UEBwwCREcxEjAQBgNVBAoMCWNt
ZHNjaG9vbDELMAkGA1UECwwCaXQxFjAUBgNVBAMMDWNtZHNjaG9vbC5vcmcxITAf
BgkqhkiG9w0BCQEWEndpbGxAY21kc2Nob29sLm9yZzAeFw0xOTA5MjQxNjUyMjJa
Fw0yMDA5MjMxNjUyMjJaMIGKMQswCQYDVQQGEwJDTjESMBAGA1UECAwJR3Vhbmdk
b25nMQswCQYDVQQHDAJERzESMBAGA1UECgwJY21kc2Nob29sMQswCQYDVQQLDAJp
dDEWMBQGA1UEAwwNY21kc2Nob29sLm9yZzEhMB8GCSqGSIb3DQEJARYSd2lsbEBj
bWRzY2hvb2wub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+Mwg
rri79R6PCU0gnAHorYRKzneIXW8zzUmlv/Vh1QPMOX2/XDIueo7h2mf68+YP+hL1
xVU8ytOVjKoE+UOQBmcDsjPR1ZuDY0T9SR3yVOyx5G5ZABxpEisdHRO7aMdivvRd
OdHg6IqCtCN2U/ouvzubejOpGwT5Ij4W5rASxf2lIl7Q7lvgPaot/VHplqOXO0O5
4UemBfl5oLWP2njfv4qV1EblqjgEV5T96JjD+dh+b30IDGIVhHSZSsSe5Flg19Sd
rFCwvZVfhRLXt2UoUwJfXAyDOfL7epzGAhBKcVerohOaAXdHt4beB54Owc3nDPNE
ussHQP6X+Zdc2IAFfQIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQAjwpsbK4yF07hM
FN7/MwxBNAbo9XQQL+yrsTt5yJe2khcWQGY/ceOoITdhz7YZf/w4HajZCtDB4d0v
RVn3apb+AOArf1z0v2zx1CGLUZlWdShcRjbnYrIHv2YYDKiupnAaw1roddNtXYiQ
vQwLO0sWD49pIUJp7V63cR1WRs9v8dAptr31rR27JKK36FlwtSo8bLeuOpZsYJex
sfVes4aEIr1I16Tjs72smlzSA30x5AgVaAZxkdCPZwTGf4qMMNEDX3OAcpA2Of/p
XR0Fpyp9mwEhUDdk1OwASXMkscN8c9cc5qG6hnNKUPWNqTIvFut66GfwtT7g7slV
CXiF9PyP
-----END CERTIFICATE-----
subject=/C=CN/ST=Guangdong/L=DG/O=cmdschool/OU=it/CN=cmdschool.org/emailAddress=will@cmdschool.org
issuer=/C=CN/ST=Guangdong/L=DG/O=cmdschool/OU=it/CN=cmdschool.org/emailAddress=will@cmdschool.org
---
No client certificate CA names sent
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 2321 bytes and written 632 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES128-SHA
    Session-ID: 5D9DF4BD546C9A508CA0F3047927AFFBEAE1A90347C78C85466EE5598DC6ADF1
    Session-ID-ctx:
    Master-Key: A2753F8E1D92C49BC3B7975AD54F149FF88F2E94FEC14BFBB5D79500B6EEDDD87EF34462E7705513E853DFFF5BCD4C0A
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1570632893
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---

2.4.3 使用客户端测试

请按如下向导部署并使用客户端测试,
https://www.cmdschool.org/archives/2670

参阅文档
=================

配置Tigase的SSL证书
——————
https://docs.tigase.org/tigase-server/5.2.0/admin_guide/html/#_installing_loading_certificate_to_the_tigase_server

强制使用SSL协议
——————
https://wiki.xmpp.org/web/Securing_XMPP

配置Tigase的TLS证书
——————
http://www.jfcarter.net/~jimc/documents/xmpp-1307/xmpp-tigase-1802.html

KeyStore证书的加载方法
——————-
https://github.com/fanout/tigase-server/blob/master/debian/init.properties

没有评论

发表评论

XMPP
如何集成Tigase 8.x与MongoDB?

1 基础知识 1.1 Tigase支持的数据库 Database Recommended Versi …

XMPP
如何部署Tigase Server 8.x?

1 基础知识 1.1 压缩包命名规则 tigase-server-<version>-S …

XMPP
如何部署Tigase的客户端?

1 基础知识 1.1 软件介绍 Psi是专为XMPP(Tigase)网络设计的免费即时通讯应用程序。 …