Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to connect non-TLS: unable to verify the first certificate #42

Closed
silverbucket opened this issue Aug 13, 2021 · 3 comments
Closed

Unable to connect non-TLS: unable to verify the first certificate #42

silverbucket opened this issue Aug 13, 2021 · 3 comments

Comments

@silverbucket
Copy link

silverbucket commented Aug 13, 2021
edited
Loading

I am running the mongooseim docker image locally, have created a test account, but am unable to connect due to a TLS error. From what I've read mongooseim should be defaulting to non-TLS unless provided with certs (which I have not done). Similarly, xmpp.js will default to non-TLS as well.

I've broken it down to as simple an example as I could. Any help would be greatly appreciated, I feel like I may be overlooking something quite simple.

start service and create user

$ docker run -d -t -h mongooseim-1 --name mongooseim-1 -p 5222:5222 mongooseim/mongooseim:4.2.0
$ docker exec mongooseim-1 /usr/lib/mongooseim/bin/mongooseimctl register_identified jimmy localhost passw0rd

connect

Using xmpp.js node library, here's a simplified script (test-client.js) which illustrates the problem:

const { client } = require("@xmpp/client");

(function () {
  const c = client({
    service: 'xmpp://localhost',
    username: 'jimmy',
    password: 'passw0rd'
  });

  c.on("offline", (a) => {
    console.log("offline", a);
  });

  c.start().then(() => {
    console.log('connection successful');
  }).catch((err) => {
    console.log(`connect error: ${err}`);
  });
})();
$ node test-client.js
connect error: Error: unable to verify the first certificate
node:internal/process/promises:246
          triggerUncaughtException(err, true /* fromPromise */);
          ^

Error: unable to verify the first certificate
    at TLSSocket.onConnectSecure (node:_tls_wrap:1530:34)
    at TLSSocket.emit (node:events:394:28)
    at TLSSocket._finishInit (node:_tls_wrap:944:8)
    at TLSWrap.ssl.onhandshakedone (node:_tls_wrap:725:12)
Emitted 'error' event on Client instance at:
    at node_modules/@xmpp/middleware/index.js:19:30
    at processTicksAndRejections (node:internal/process/task_queues:96:5) {
  code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE'
}
@silverbucket silverbucket changed the title Unable to connect non-TLS Unable to connect non-TLS: unable to verify the first certificate Aug 13, 2021
@chrzaszcz chrzaszcz mentioned this issue Oct 13, 2023
Merged
@chrzaszcz
Copy link
Member

chrzaszcz commented Oct 13, 2023
edited
Loading

Thanks @silverbucket for reporting this. I apologise for replying with a huge delay, but honestly we are rarely checking the issues for this repo, because it is only a helper repository for MongooseIM.

Regarding the issue, MongooseIM actually has TLS enabled in the default configuration file, because the listen.c2s.tls section is present in /usr/lib/mongooseim/etc/mongooseim.toml. We might change the wording in the docs a bit. By default a fake certificate is used (intended only for testing), and you can disable it by commenting out (or removing) the tls options:

[[listen.c2s]]
  port = 5222
  access = "c2s"
  shaper = "c2s_shaper"
  max_stanza_size = 65536
  #tls.verify_mode = "none"
  #tls.certfile = "priv/ssl/fake_server.pem"

When I tested this with your JS script, I figured out that somehow the connection was dropped. This led me to discover a bug, which I fixed in esl/MongooseIM#4150.

NelsonVides added a commit to esl/MongooseIM that referenced this issue Oct 16, 2023
@NelsonVides
Merge pull request #4150 from esl/fix-starttls-disabled
c858cec 
When the TLS section is missing, then according to the documentation STARTTLS should be rejected. This was not the case: the feature was advertised, and a TLS upgrade performed by a client (who was informed about the support) resulted in a crash.

This PR fixes these issues:

    STARTTLS is only advertised when enabled.
    Upgrade attempt results in a correct failure element, as described in RFC 6120

The tests are updated to check these conditions, and to correctly verify the features for optional and required STARTTLS as well.

The bugs were discovered accidentally when checking esl/mongooseim-docker#42. The statement about TLS disabled by default is changed in the docs, because it most likely confused the reporter of that issue.
@chrzaszcz
Copy link
Member

Related bugs are fixed now, and the docs are updated.

@silverbucket
Copy link
Author

@chrzaszcz thanks for following up on this! I'm glad it led to a bug being fixed, even if indirectly :) Also I had a look at the updated docs and it does read more clearly now. Cheers!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@silverbucket @chrzaszcz