Messages/Jabber service doesn't use TLS even if certificate is installed and configured
| Originator: | pepi.zawodsky | ||
| Number: | rdar://22903700 | Date Originated: | 29-Sep-2015 11:05 PM |
| Status: | Open | Resolved: | |
| Product: | OS X Server | Product Version: | 5.0.4 |
| Classification: | Security | Reproducible: | Always |
Summary: Messages/Jabber service doesn't use TLS even if certificate is installed and configured Steps to Reproduce: Install private RSA key and matching CA signed certificate.pem in Server.app 5.0.4 as well as have the necessary intermediate certificate of your signing CA installed on the System.keychain. Expected Results: After assigning a certificate to Messages service I expect the Messages service to not only support but even require TLS for any C2S connection. Actual Results: Messages services still does not support TLS at all, only plaintext connections. Certificate Selection shows “custom configuration” which usually indicates that Server.app fucked something up with certificates again. Regression: This actually did work in 5.0.3. Completely Removing the certificate and RSA private keys and reimporting them again does not remedy the problem. It is NOT possible to manually fix Server.app's broken key/certificate management by fixing the hostname.example.com.<UUID>.concat.pem file by concatenating the private key at the end. This should have been done by Server.app but seems mostly broken since Server 5. This means, Messages service can't be used due to lack of any encryption. Notes: No warning is given to the admin that users will leak their single-sign-on passwords over plaintext logins by using the Messages service. serverdiagnose archive attached.
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!