[Solved] XMPP IM account produces certificate error.

[pizzaazzip]

My employer hosts a XMPP server where I can chat with the employees I work with. Typically we use Adium (for mac) or Pidgin (for everything else) but because Fossamail is pretty cool and I have it setup to work with Google Talk & Facebook, it would be nice to add my work account. When I add this work account on Pidgin and I set the settings correctly, a certificate notification pops up and I hit something on the lines of I agree and I'm able to use it fully. This does not pop up in Fossamail so I'm not sure if I did something wrong or somehow it is not supported. The error message Fossamail throws is Error: Issuer certificate is invalid. The settings for Pidgin to work are:

im.nameofdomain.com
Connection security: Require encryption
allow plaintext auth over unencrypted streams is unchecked
Connect port 5222
Use global proxy settings

In Fossamail, I have tried to set the username as username & username@im.nameofdomain.com. It appears just username won't work. The settings I've tried for the full username are:
Auto-joined channels: Blank
Resource: Blank
Priority: 0
Connection Security: I've tried all three
Port: 5222

Anyone have any ideas?

[Moonchild]

Your work has to make sure the certificate is valid -- self-signed should also be perfectly fine, but if it's CA-signed and the signature or issuer is invalid, then FossaMail will refuse the invalid SSL connection because it hard-fails the authentication part of encryption.

[pizzaazzip]

Ok, so I double checked Pidgin and if I view the certificate, it says:

Common name: tftp.nameofdomain.com
Issued By: (self-signed)

Fingerprint (SHA1): stuff
Activation date: Some time in 2013
Expiration date: some time in 2018

The previous page says:

The certificate for im.nameofdomain.com could not be validated.
The certificate claims to be from "tftp.nameofdomain.com" instead. This could mean that you are not connecting to the service you believe you are.
The certificate is self-signed and cannot be automatically checked.

Is this not working in FossaMail because the common name is not im.nameofdomain.com and instead is tftp.nameofdomain.com?

I should also mention MirandaIM also works with this account.

[Moonchild]

The common name or any alt names must match the name of the domain used. Otherwise the certificate is invalid for the host used and FossaMail will (rightfully) refuse the connection.
Once again:

Your work has to make sure the certificate is valid

That means:

• Valid for the domain/host it's used for
• Valid signature (self-signed is OK)
• Potentially, for XMPP use, it may need the XMPP extension

The fact that it works in other clients will just mean that those clients don't care about the validity of the certificate, and only care that it is "in some way encrypted".

[pizzaazzip]

Thanks for all of your help and clarification. I'll see if I can get them to change it. How can I mark this post as solved? If I have any additional issues, I imagine I can just open a new one.

[Moonchild]

Normally you just edit the topic of the first post to add [Solved] to the topic title at the start.

[pizzaazzip]

Gotcha thanks again.