TLS Client certificate Verification in Start TLS

[junaidsarwar414]

I need To Ask that Ejabberd Community version Supports Client Certificate verification .I am not taking about XEP-0178.I want to enable Client Certificate Verification in TLS Connection.

[weiss]

Client Certificate Verification in TLS Connection

How would that be different from XEP-0178, section 2 (which is indeed supported by ejabberd)?

[junaidsarwar414]

In Xep 0178 Certificate is used for user authentication.While i need to Verify Client Certificate at Ejabberd for TLS Connection and Login With username nd password.

For reference of prosody server Option for Client Certificate Verification is

verify
A list of verification options (these mostly map to OpenSSL’s set_verify() flags). Prosody’s default is { "peer", "client_once" }.

Available verification options are:

none (no verification)
peer (verify the peer’s certificate)
client_once (do not request the client’s certificate during renegotiation)
fail_if_no_peer_cert (fail if the peer does not present a certificate)

https://prosody.im/doc/advanced_ssl_config

[junaidsarwar414]

I did ejabberd Setting for TLS_verify: true. But It always Verify the Certificate of Client.
i Think its because of this function in fasttls
static int verify_callback(int preverify_ok, X509_STORE_CTX *ctx) {
return 1;
}
https://github.com/processone/fast_tls/blob/master/c_src/fast_tls.c