certificate authentication

[chrisatta]

MongooseIM version: 3.7.0
Installed from: pkg
Erlang/OTP version: (put the version)

Hello everyone,
I am trying to enable authentication with c2s certificate but I am having trouble connecting to the server. I followed this documentation:
https://mongooseim.readthedocs.io/en/3.7.0/authentication-methods/client-certificate/
Password auth works, but certificate auth does not works. I am using Usage example - Gajim and Generate client certificate.

this is my config:

{ 5222, ejabberd_c2s, [

		%%
		%% If TLS is compiled in and you installed a SSL
		%% certificate, specify the full path to the
		%% file and uncomment this line:
		%%
		{tls, true},
		%{certfile, "/etc/mongooseim/ca.pem"}, starttls,
		{cafile, "/etc/mongooseim/rootCA.pem"}, 
		{verify_peer, true},
		{tls_module, fast_tls},
		%{tls_module, just_tls},
		%{starttls, true},
		
		%%{zlib, 10000},
		%% https://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS
		{ciphers, "TLSv1.2:TLSv1.3"},
		%{ciphers, "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384"},
		{access, c2s},
		{shaper, c2s_shaper},
		{max_stanza_size, 65536}
                    
	       ]},

where rootCA.pem is obtained from cat rootCA.crt rootCA.key

{sasl_mechanisms, cyrsasl_external}.

{auth_opts, [
%% Store the plain passwords or hashed for SCRAM:
%% {password_format, scram} % default
%% {password_format, plain}
{password_format, scram}
%% {scram_iterations, 10000} % default

         %%
         %% For auth_http:
         %% {basic_auth, "user:password"}
         %% {path_prefix, "/"} % default
         %% auth_http requires {http, Host | global, auth, ..., ...} outgoing pool.
         %%
         %% For auth_external
         %% {extauth_program, "/path/to/authentication/script"}
         %%
         %% For auth_jwt
         %% {jwt_secret_source, "/path/to/file"},
         %% {jwt_algorithm, "RS256"},
         %% {jwt_username_key, user}
         %%
         %% For cyrsasl_external
         %% {authenticate_with_cn, false}
         %%{cyrsasl_external, standard}
       ,{cyrsasl_external, use_common_name}

	
         %%
         %% For auth_ldap
         %% {ldap_base, "dc=example,dc=com"},
         %% {ldap_filter, "(objectClass=shadowAccount)"},
         %% {ldap_uids, [{"mail", "%[email protected]"}]}.
         
        ]}.

{auth_method, pki}.

server error:
2020-10-15 11:14:24.735 [error] <0.561.0>@cyrsasl:-listmech/1-lc$^0/1-0-:81 Supervisor ejabberd_c2s_sup had child undefined started with {ejabberd_c2s,start_link,undefined} at <0.1578.0> exit with reason no function clause matching cyrsasl:'-listmech/1-lc$^0/1-0-'(cyrsasl_external) line 81 in context child_terminated

Thanks

[chrisatta]

Client connection error
SmackException: No supported and enabled SASL
Mechanism provided by server: Server annunced mechanisms: []

[chrisatta]

No supported and enabled SASL Mechanism provided by server. Server announced mechanisms: [SCRAM-SHA-1, PLAIN]. Registered SASL mechanisms with Smack: [SASL Mech: SCRAM-SHA-1-PLUS, Prio: 100, SASL Mech: SCRAM-SHA-1, Prio: 110, SASL Mech: DIGEST-MD5, Prio: 210, SASL Mech: PLAIN, Prio: 410, SASL Mech: X-OAUTH2, Prio: 410, SASL Mech: ANONYMOUS, Prio: 500, SASL Mech: EXTERNAL, Prio: 510]. Enabled SASL mechanisms for this connection: [EXTERNAL]. Blacklisted SASL mechanisms: [SCRAM-SHA-1-PLUS].10

[Neustradamus]

@janciesla8818, @NelsonVides, @michalwski: Have you seen this ticket?

[DenysGonchar]

SASL EXTERNAL mechanism is filtered out if client certificate is not provided during TLS handshake