I had an issue where logging in from the app disconnected. The error that kept popping up was
[date time stamp] [warning] <0.1722.0>@ejabberd_c2s:process_terminated:304 (tls|<0.1722.0>) Failed to secure c2s connection: TLS failed: Failed to find a certificate matching the domain in SNI extension: error:1408A0E2:SSL routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext
I had thought the issue was to do with a TLS error. I wanted to run TLS 1.2 only. To do so:
1. Connect to the server via SSH as "root": 2. Run this command to enable TLS 1.2 ONLY server wide: plesk bin server_pref -u -ssl-protocols 'TLSv1.2' To disable TLS 1.0 and keep 1.1 and 1.2 for all Plesk web services: plesk sbin sslmng --protocols="TLSv1.1 TLSv1.2" If you need to strengthen the SSL ciphers to pass typical PCI DSS setups, you can use the following. This assumes you leave only TLS 1.2 and disable everything else: You can check to see what ciphers are in use: grep SSLCipher /etc/httpd/conf.d/ssl.conf
Now with the TLS cleaned up, when I next tested the log in it still discounted. Now it was time to focus on the listen ports in the ejabberd.yml file.
To read more about ejabberd listening ports start by reading the documentation on the ejabberd configuration page. However, reading through wasn't resolving my issue of the app disconnecting when attempting to log in. By way of reference the listening ports appear as follows:
listen: - port: 5222 module: ejabberd_c2s shaper: c2s_shaper access: c2s - port: 5280 module: ejabberd_http web_admin: true http_bind: true request_handlers: "/mqtt": mod_mqtt
Reading the listen ports, the more I noticed either
## To enforce TLS encryption for client connections, ## use this instead of the "starttls" option: starttls_required: true
appearing - I also noticed whether the certfile was noted.
For me, the solution to the disconnecting error was to add the certfile to each of the listening ports that had starttls or starttls_required set to true.