Sample Header Ad - 728x90

How to download the certificate from an XMPP (jabber) server to trust it locally?

0 votes
1 answer
814 views
networking security openssl ssl xmpp
I am trying to login with Dino XMPP client with user credentials at an XMPP domain which is hosted at conversations.im. Thus, there is no XMPP server at the domain. Instead, respective SRV records are pointing to xmpps-hosting or xmpp-hosting at conversations.im. Conversations XMPP client verifies the certificate for connection by PKIX over Secure HTTP (POSH), RFC 7711, which I configured, but Dino doesn't support it yet ([#451](https://github.com/dino/dino/issues/451)) . Thus, it fails connection at a self-signed certificate: > By default our server will create a self-signed certificate. On first connect you will be asked to verify the certificate manually. You can do this by comparing the certificate’s SHA-256 fingerprint that you are prompted with, with the fingerprint below. > 
> 7e:9f:aa:ca:cb:2e:21:96:8d:85:8d:68:ef:04:ee:c6
> 0f:f7:78:44:12:ee:74:4b:a0:31:f8:10:96:03:72:b9
>
Dino doesn't support manual verification of the certificate ([#57](https://github.com/dino/dino/issues/57) , [#452](https://github.com/dino/dino/issues/452)) . So, it cycles and then rejects connection when trying to add the account. It wouldn't be a problem if only I could get that certificate and then add it to the system trust store. However, I could not find a way to download the certificate. I tried an approach similar to [a Serverfault answer](https://serverfault.com/a/1074374/583863) , but couldn't get a certificate: 
$ nslookup -type=SRV _xmpps-client._tcp.riabenko.com
Server:		127.0.0.53
Address:	127.0.0.53#53

Non-authoritative answer:
_xmpps-client._tcp.riabenko.com	service = 1 1 443 xmpps-hosting.conversations.im.

Authoritative answers can be found from:

$ openssl s_client -starttls xmpp -xmpphost riabenko.com -connect xmpps-hosting.conversations.im:443 -debug
CONNECTED(00000003)
write to 0x55db90fcebd0 [0x7fffa67799a0] (117 bytes => 117 (0x75))
0000 - 3c 73 74 72 65 61 6d 3a-73 74 72 65 61 6d 20 78   
read from 0x55db90fcebd0 [0x55db90f90020] (8192 bytes => 0)
read from 0x55db90fcebd0 [0x55db90f90020] (8192 bytes => 0)
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 117 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
read from 0x55db90fcebd0 [0x55db90f8e010] (8192 bytes => 0)
How can I get the certificate from the server?
Asked by Roman Riabenko (2436 rep)
Jul 9, 2022, 11:19 AM
Sidebar Ad - 300x250
Related Questions

Browse more questions from Unix & Linux Stack Exchange

More questions tagged "networking"
More questions tagged "security"
More questions tagged "openssl"
Footer Ad - 728x90