Note on using un-trusted certs with xmpp-client

drduh · Jan 3, 2018 · bf603dd · bf603dd
1 parent 354972a
commit bf603dd
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -1080,7 +1080,7 @@ To start a chat, select the `+` icon and select *New Chat*.
 
 Start OTR by selecting the lock icon and verifying your contact with a secret question and answer, or out of band (e.g., in person).
 
-To connect from a Mac client, use an XMPP client like [Profanity](http://profanity.im/), [agl/xmpp-client](https://github.com/agl/xmpp-client), or [Adium](https://github.com/drduh/OS-X-Security-and-Privacy-Guide#otr).
+To connect from a Mac client, use an XMPP client like [Profanity](http://profanity.im/), [agl/xmpp-client](https://github.com/agl/xmpp-client), or [Adium](https://github.com/drduh/macOS-Security-and-Privacy-Guide#otr).
 
 If you can't connect, check for errors in `/var/log/prosody/prosody.err` on the server.
 
@@ -1090,6 +1090,16 @@ Verify the SHA-256 fingerprint matches the certificate you see on the server:
 
 If it matches the fingerprint in the presented certificate prompt, trust it and connect.
 
+To view and verify the XMPP server's certificate fingerprint remotely, use the `openssl` command:
+
+    $ echo -e | openssl s_client -connect duh.to:5222 -starttls xmpp | openssl x509 -noout -fingerprint -sha256 | tr -d ':'
+    [...]
+    SHA256 Fingerprint=9B759D41E3DE30F9D2F902027D792B65D950A98BBB6D6D56BE7F2528453BF8E9
+
+**Note** If using agl/xmpp-client and custom certificates (i.e., not signed by a trusted root CA), you will need to [manually add](https://github.com/agl/xmpp-client/issues/44#issuecomment-39539794) the server's SHA256 fingerprint to `~/.xmpp-client`, like:
+
+    "ServerCertificateSHA256": "9B759D41E3DE30F9D2F902027D792B65D950A98BBB6D6D56BE7F2528453BF8E9"
+
 # Mail
 
 Configuring and running a mail server is an enormous [hassle](http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/) and maintaining one is a [time-consuming task](https://www.digitalocean.com/community/tutorials/why-you-may-not-want-to-run-your-own-mail-server). Moreover, many service providers [do not allow](https://cloud.google.com/compute/docs/tutorials/sending-mail/) outbound SMTP.