[bug] dialback broken in 3.7.0

Gordon_Messmer1 · March 4, 2011, 11:08pm

After upgrading from 3.6.4 to 3.7.0, I’m unable to send messages to a remote system which was previously working (ee.washington.edu). The following is written to warn.log:

2011.03.04 15:00:37 Error trying to connect to remote server: washington.edu(DNS lookup: washington.edu:5269)

java.net.ConnectException: Connection refused

at java.net.PlainSocketImpl.socketConnect(Native Method)

at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:333)

at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:195)

at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:182)

at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:366)

at java.net.Socket.connect(Socket.java:525)

at org.jivesoftware.openfire.session.LocalOutgoingServerSession.createOutgoingSess ion(LocalOutgoingServerSession.java:278)

at org.jivesoftware.openfire.session.LocalOutgoingServerSession.authenticateDomain (LocalOutgoingServerSession.java:208)

at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.sendPa cket(OutgoingSessionPromise.java:261)

at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.run(Ou tgoingSessionPromise.java:238)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java: 886)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)

at java.lang.Thread.run(Thread.java:619)

Using tcpdump, I see that my system establishes a connection to the correct system, and then closes the socket, establishes a second connection and closes that socket. The remote system then establishes a connection to my server, which my server then closes.

Gordon_Messmer1 · March 4, 2011, 11:54pm

Debug log:

2011.03.04 15:45:53 LocalOutgoingServerSession: OS - Trying to connect to ee.washington.edu:5269(DNS lookup: cerf.ee.washington.edu:5269)

2011.03.04 15:45:53 Exiting since queue is empty for /173.14.255.101:39155

2011.03.04 15:45:53 LocalOutgoingServerSession: OS - Plain connection to ee.washington.edu:5269 successful

2011.03.04 15:45:53 LocalOutgoingServerSession: OS - Indicating we want TLS to ee.washington.edu

2011.03.04 15:45:53 LocalOutgoingServerSession: OS - Negotiating TLS with ee.washington.edu

2011.03.04 15:45:53 LocalOutgoingServerSession: Handshake error while creating secured outgoing session to remote server: ee.washington.edu(DNS lookup: cer

f.ee.washington.edu:5269)

javax.net.ssl.SSLHandshakeException: General SSLEngine problem

…

2011.03.04 15:45:53 LocalOutgoingServerSession: OS - Going to try connecting using server dialback with: ee.washington.edu

2011.03.04 15:45:53 ServerDialback: OS - Trying to connect to ee.washington.edu:5269(DNS lookup: cerf.ee.washington.edu:5269)

2011.03.04 15:45:53 ServerDialback: OS - Connection to ee.washington.edu:5269 successful

2011.03.04 15:45:53 ServerDialback: OS - Sent dialback key to host: ee.washington.edu id: 5b589264 from domain: dragonsdawn.net

2011.03.04 15:45:53 ServerDialback: OS - Unexpected answer in validation from: ee.washington.edu id: 5b589264 for domain: dragonsdawn.net answer:<stream:features xmlns:stream=“http://etherx.jabber.org/streams”></stream:features>

So it looks like the destination domain has some sort of bad certificate, and dialback is no longer compatible between the two systems after I upgraded to 3.7.0.

Under Server -> Server Settings -> Security Settings -> Server Connection Security, I have enabled “Accept self-signed certificates…” This did not resolve the problem.

Gordon_Messmer1 · March 15, 2011, 9:20pm

After further testing, I’ve found that 3.7.0 will no successfully negotiate dialback connections with other systems also running 3.7.0. These connections also log an error like:

2011.03.04 15:45:53 ServerDialback: OS - Unexpected answer in validation from: ee.washington.edu id: 5b589264 for domain: dragonsdawn.net answer:<stream:features xmlns:stream=“http://etherx.jabber.org/streams”></stream:features>

wroot · March 18, 2011, 12:13pm

OF-443

Gordon_Messmer1 · March 24, 2011, 6:19am

If you back out revision 11784, the bug won’t be triggered. I think this needs a better long-term fix, but this’ll do for most users for now. Apply that change in reverse:

Index: trunk/src/java/org/jivesoftware/openfire/server/ServerDialback.java

===================================================================

diff -u -N -r11388 -r11784

— trunk/src/java/org/jivesoftware/openfire/server/ServerDialback.java (…/ServerDialback.java) (revision 11388)

+++ trunk/src/java/org/jivesoftware/openfire/server/ServerDialback.java (…/ServerDialback.java) (revision 11784)

@@ -194,35 +194,35 @@

Creates a new connection from the Originating Server to the Receiving Server for
authenticating the specified domain.

* @param domain domain of the Originating Server to authenticate with the Receiving Server.

* @param hostname IP address or hostname of the Receiving Server.

* @param localDomain domain of the Originating Server to authenticate with the Receiving Server.

* @param remoteDomain IP address or hostname of the Receiving Server.

@param port port of the Receiving Server.
@return an OutgoingServerSession if the domain was authenticated or null if none.

*/

public LocalOutgoingServerSession createOutgoingSession(String domain, String hostname, int port) {
```
   String realHostname = null;
```

public LocalOutgoingServerSession createOutgoingSession(String localDomain, String remoteDomain, int port) {
```
   String hostname = null;
```

int realPort = port;

try {

// Establish a TCP connection to the Receiving Server

Socket socket = new Socket();

// Get a list of real hostnames to connect to using DNS lookup of the specified hostname

       List<DNSUtil.HostAddress> hosts = DNSUtil.resolveXMPPDomain(hostname, port);

       List<DNSUtil.HostAddress> hosts = DNSUtil.resolveXMPPDomain(remoteDomain, port);

for (Iterator<DNSUtil.HostAddress> it = hosts.iterator(); it.hasNext() {

try {

DNSUtil.HostAddress address = it.next();

               realHostname = address.getHost();

               hostname = address.getHost();

realPort = address.getPort();

               Log.debug("ServerDialback: OS - Trying to connect to " + hostname + ":" + port +

                       "(DNS lookup: " + realHostname + ":" + realPort + ")");

               Log.debug("ServerDialback: OS - Trying to connect to " + remoteDomain + ":" + port +

                       "(DNS lookup: " + hostname + ":" + realPort + ")");

// Establish a TCP connection to the Receiving Server

               socket.connect(new InetSocketAddress(realHostname, realPort),

               socket.connect(new InetSocketAddress(hostname, realPort),

RemoteServerManager.getSocketTimeout());

               Log.debug("ServerDialback: OS - Connection to " + hostname + ":" + port + " successful");

               Log.debug("ServerDialback: OS - Connection to " + remoteDomain + ":" + port + " successful");

break;

}

catch (Exception e) {

               Log.warn("Error trying to connect to remote server: " + hostname +

                       "(DNS lookup: " + realHostname + ":" + realPort + ")", e);

               Log.warn("Error trying to connect to remote server: " + remoteDomain +

                       "(DNS lookup: " + hostname + ":" + realPort + ")", e);

}

connection =

@@ -234,7 +234,10 @@

stream.append("<stream:stream");

         stream.append(" xmlns:stream=\"[http://etherx.jabber.org/streams](http://etherx.jabber.org/streams)\"");

stream.append(" xmlns=“jabber:server”");

       stream.append(" xmlns:db=\"jabber:server:dialback\">");

       stream.append(" to=\"").append(remoteDomain).append("\"");

       stream.append(" from=\"").append(localDomain).append("\"");

       stream.append(" xmlns:db=\"jabber:server:dialback\"");

       stream.append(" version=\"1.0\">");

connection.deliverRawText(stream.toString());

// Set a read timeout (of 5 seconds) so we don’t keep waiting forever

@@ -255,13 +258,13 @@

socket.setSoTimeout(soTimeout);

String id = xpp.getAttributeValue("", “id”);

OutgoingServerSocketReader socketReader = new OutgoingServerSocketReader(reader);

           if (authenticateDomain(socketReader, domain, hostname, id)) {

           if (authenticateDomain(socketReader, localDomain, remoteDomain, id)) {

// Domain was validated so create a new OutgoingServerSession

StreamID streamID = new BasicStreamIDFactory().createStreamID(id);

               LocalOutgoingServerSession session = new LocalOutgoingServerSession(domain, connection, socketReader, streamID);

               LocalOutgoingServerSession session = new LocalOutgoingServerSession(localDomain, connection, socketReader, streamID);

connection.init(session);

// Set the hostname as the address of the session

               session.setAddress(new JID(null, hostname, null));

               session.setAddress(new JID(null, remoteDomain, null));

return session;

}

else {

@@ -279,17 +282,17 @@

}

catch (IOException e) {

       Log.debug("ServerDialback: Error connecting to the remote server: " + hostname + "(DNS lookup: " +

               realHostname + ":" + realPort + ")", e);

       Log.debug("ServerDialback: Error connecting to the remote server: " + remoteDomain + "(DNS lookup: " +

               hostname + ":" + realPort + ")", e);

// Close the connection

if (connection != null) {

connection.close();

}

catch (Exception e) {

       Log.error("Error creating outgoing session to remote server: " + hostname +

       Log.error("Error creating outgoing session to remote server: " + remoteDomain +

"(DNS lookup: " +

```
               realHostname +
```

```
               hostname +
```

“)”,

e);

// Close the connection

wroot · March 24, 2011, 9:07am

Gordon, please attach it as a patch file (via advanced mode editor), as it is hard to copy a code from the forums page.

Gordon_Messmer1 · March 24, 2011, 4:33pm

The patch can be found here:

http://fisheye.igniterealtime.org/rdiff/openfire/trunk/src/java/org/jivesoftware /openfire/server/ServerDialback.java?r1=11388&r2=11784&u&N

Apply in reverse.

Gordon_Messmer1 · March 24, 2011, 4:35pm

… Though I’m mostly sure that only this section of the patch is causing the problem:
R11784.patch.zip (509 Bytes)

Gordon_Messmer1 · April 5, 2011, 2:53am

I’ve confirmed that removing " version=1.0" only (rather than backing out all of R11784) will fix this problem.
openfire-of443.patch.zip (472 Bytes)

Thomas15 · April 9, 2011, 9:18am

is possibile a new realese of openfire for resolve this problem?

Thomas15 · April 10, 2011, 2:16pm

i think

Matthias_Henze · April 28, 2011, 2:39pm

Anyy news ? Any plans for a patch release to fix this bug ?

ragenkagen · May 5, 2011, 1:58pm

don’t know if it helps at all…but I have both of our openfire servers communicating with each other through the kraken IM gateway…not as much functionality…but user to user seems to work fine as long as groups are setup properly

Mathiau · May 31, 2011, 8:56pm

Is there a way to patch a windows install for this?

i cant beleive something like this would get broken in a new release…

dweez · June 16, 2011, 9:33pm

Pardon my ignorance, but how does one go about applying this patch? I’m using Openfire 3.7.0 on Debian and to “upgrade”, we typically just download the .tar.gz file, extract it, copy over config and cert info, shut down current service, reassign the symbolic link, and restart the service. This is my first foray into administrating a Linux app so I have no clue how to apply this patch.

Any documentation or help would be greatly appreciated.

-dweez

wroot · June 17, 2011, 8:11pm

This is not a patch for the installed program, but for the source code. So it has to be compiled. Maybe someone will attach the recompiled binary (openfire.jar) here. Then you will be able to replace this jar in your installation (/openfire/lib/)

dweez · June 17, 2011, 8:16pm

That would be great if someone would do that.

/me gives puppy dog eyes as he requests it

-dweez

wroot · June 17, 2011, 8:28pm

Here you go. But use it at your own riks, i didn’t test it, though it really just removes a line with 1.0 vesion declaration in ServerDialback.java. Hope that helps and that it only needs openfire.jar to replace.
openfire.jar (7195579 Bytes)

dweez · June 20, 2011, 3:34pm

Meh, I tried it out and it didn’t work. I’ll probably eventually roll back to 3.6.4 and wait to see if 3.7.1 resolves it. Thanks wroot.

-dweez

ragenkagen · June 21, 2011, 1:53pm

Thanks wroot, I tried it as well and was not able to get it to work. I still have the same problem I had with 3.7.0, that is it the server can’t seem to handle outgoing connections with another server (running 3.7.0 or 3.7.1 as well). I tried connecting to a 3.6.4 and the server sessions showed both incoming and outgoing traffic, but nothing seemed to actually go out (or was not received by the client at the other end). I was hoping to only need to downgrade one server to 3.6.4, but it looks like I will need to do both on this version.

Thanks for building this though! I will probably keep trying to test some things in case I missed something.