Added the openssl ocsp flag to ignore malformed requests. The OCSP responder now continues running instead of terminating upon receiving a malformed request.
When testing connectivity it is useful to be able to curl http://ocsp-responder:8888. Previous to this commit the responder would send 200 OK then exit. With this change we still get the 200 response but the responder remains active.
The OCSP responder in OpenSSL (in Alpine) only supports IPv4 so I've used socat as a proxy to listen in IPv4 and IPv6 then forward to the OCSP responder on localhost using IPv4.
This file is being added to Openfire so I'm porting it into this project as we use a copy of the security directory and overwrite the original.
To pick up the setting in this new file, and the new system property (jdk.tls.server.enableStatusRequestExtension=true), we must also use the updated openfire.sh start script which includes the new file and sets the mentioned system property. This will happen naturally when those changes make it into the Openfire Docker image. Until then you can recreate this behaviour by adding the following to xmpp1 and xmpp2:
```
environment:
JAVA_TOOL_OPTIONS: >
-Djava.security.properties=/var/lib/openfire/conf/security/java.security
-Djdk.tls.server.enableStatusRequestExtension=true
```
I considered adding IPv6 support to the OCSP responder but it would add more files and complexity for (I think) little gain.
Instead this change keeps the OCSP responder on IPv4 only, but makes sure it's properly configured in the hosts file even when using the -6 flag. The OCSP responder will always use IPv4, other services will be able to reach it via IPv4 regardless of whether they're using IPv6 for their own communication.
Cert generation and import scripts now support any number of XMPP servers and use more intuitive naming for the certificates.
This will make it easier to move cert generation to other configurations. Maybe promoting this to a top-level script to generate certs in all scenarios.
Prior to this the OCSP responder used 172.50.0.30. This conflicts with an example given in the readme, which uses the same IP address describing how to add a third node to the setup.
This change avoids confusion, and keeps things consistent if we ever decide to copy this to the other configurations (eg clustering_with_federation).
- Update OCSP URL in certificate generation from IP to domain name
- Add OCSP hostname to docker-compose network configuration
- Document useful hosts file entries in README.md
The changes make it easier to test OCSP locally with clients by using domain names that can be mapped in host files.
Adds Online Certificate Status Protocol (OCSP) support to the federated Openfire setup:
- Add certificate generation script with full PKI hierarchy
- Add certificate import script for Openfire keystores
- Implement OCSP responder service via Docker compose
- Update documentation with OCSP usage instructions
The -o flag can now be used with start.sh to enable OCSP support.
This adds support for IPv6, by giving all `start.sh` scripts an `-6` argument, that causes a dualstack configuration to be loaded.
Each individual docker-compose file has been split out. Now, each file no longer defines any networking. Instead, one of two networking fragments is expected to be merged in.
When starting Openfire, a Hazelcast configuration option is passed through to the Openfire process to denote preference for IPv4 or IPv6. This passing through depends on the change in Openfire, that is introduced by 2634d4a83a
Minor other changes have been applied, that mostly make the start scripts more consistent amongst each-other.
fixes#61
- Unified structure for auto-loading plugins for different modes of operation
- Added in heapdump/monitoring/jsxc plugins for auto-loading
- Modified scripts to work with (docker compose 2) default of using hyphens for creating service names
- Fixed copy monitoring plugin script and added copy hazelcast plugin script
- Extra scripts for blocking and unblocking server 2 in federation mode
By setting the 'debug' flag in the database, Openfire will, at boot time, override the configuration in log4j2.xml.
When debug logging is desired, it's best to configure that in the log4j2.xml file instead of in the database.
Openfire 4.7.0 brings a change to the name of the log files. They've been renamed from 'all.log' to 'openfire.log'.
This commit applies the same change to this project.
Guus der Kinderen
Matthew Vivian
mjones216
Dan Caseley
Emiel van der Herberg