Skip to main content

I had an issue where logging in from the app disconnected.  The error that kept popping up was

[date time stamp] [warning] <0.1722.0>@ejabberd_c2s:process_terminated:304 (tls|<0.1722.0>) Failed to secure c2s connection: TLS failed: Failed to find a certificate matching the domain in SNI extension: error:1408A0E2:SSL routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext

I had thought the issue was to do with a TLS error.  I wanted to run TLS 1.2 only.  To do so:

1. Connect to the server via SSH as "root":

2. Run this command to enable TLS 1.2 ONLY server wide:

plesk bin server_pref -u -ssl-protocols 'TLSv1.2'

To disable TLS 1.0 and keep 1.1 and 1.2 for all Plesk web services:

plesk sbin sslmng --protocols="TLSv1.1 TLSv1.2"

If you need to strengthen the SSL ciphers to pass typical PCI DSS setups, you can use the following. This assumes you leave only TLS 1.2 and disable everything else:

You can check to see what ciphers are in use:

grep SSLCipher /etc/httpd/conf.d/ssl.conf

Now with the TLS cleaned up, when I next tested the log in it still discounted.  Now it was time to focus on the listen ports in the ejabberd.yml file.

To read more about ejabberd listening ports start by reading the documentation on the ejabberd configuration page.  However, reading through wasn't resolving my issue of the app disconnecting when attempting to log in.  By way of reference the listening ports appear as follows:

listen:
      -
        port: 5222
        module: ejabberd_c2s
        shaper: c2s_shaper
        access: c2s
      -
        port: 5280
        module: ejabberd_http
        web_admin: true
        http_bind: true
        request_handlers:
          "/mqtt": mod_mqtt

Reading the listen ports, the more I noticed either

starttls: true

or 

## To enforce TLS encryption for client connections,

## use this instead of the "starttls" option:

starttls_required: true

appearing - I also noticed whether the certfile was noted.

certfile: "/var/www/vhosts/example.com/certs/example_com.pem"

For me, the solution to the disconnecting error was to add the certfile to each of the listening ports that had starttls or starttls_required set to true.