powered by Jive Software

[bug] s2s + SSL (self-signed) broken in 3.4.2

I’m going to assume this is a bug, and please correct me if I’m wrong. I don’t want to sound ungrateful, because I appreciate all the time and effort that goes into this product. The reason I’m inclined to think it’s a bug is that no configuration changes were made, and downgrading to 3.4.1 fixed the problem.

This thread is a re-statement of the thread posted here.

I have two Windows 2003 servers running 3.4.1. The two servers are whitelisted to each other, and make a SSL secured connection to one another over the Internet. After upgrading to 3.4.2, the secure connection stopped functioning. No configuration changes were made, just a straight install of openfire_3_4_2.exe on each machine. Encryption is set to “required” on everyting. (Client-to-server and server-to-server.) The clients connect to the server just fine, and the SSL admin console is working just fine, however, the server-to-server connection fails. I tried deleting and re-creating certificates on both ends, and may other things detailed in the original post.

On the local (initiator) side, I get this in the error.log:

2007.12.10 15:02:34 [org.jivesoftware.openfire.session.LocalOutgoingServerSession.createOutgoingSession(LocalOutgoingServerSession.java:338)
] Error creating secured outgoing session to remote server: jabber.remotedomain.com(DNS lookup: jabber.remotedomain.com:5269)
javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
at com.sun.net.ssl.internal.ssl.EngineInputRecord.bytesInCompletePacket(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(Unknown Source)
at javax.net.ssl.SSLEngine.unwrap(Unknown Source)
at org.jivesoftware.openfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.java:211)
at org.jivesoftware.openfire.net.TLSStreamHandler.start(TLSStreamHandler.java:157)
at org.jivesoftware.openfire.net.SocketConnection.startTLS(SocketConnection.java:165)
at org.jivesoftware.openfire.session.LocalOutgoingServerSession.secureAndAuthenticate(LocalOutgoingServerSession.java:369)
at org.jivesoftware.openfire.session.LocalOutgoingServerSession.createOutgoingSession(LocalOutgoingServerSession.java:302)
at org.jivesoftware.openfire.session.LocalOutgoingServerSession.authenticateDomain(LocalOutgoingServerSession.java:143)
at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.sendPacket(OutgoingSessionPromise.java:205)
at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.run(OutgoingSessionPromise.java:185)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)

and on the target side, I get this in the warn.log:

2007.12.10 14:02:36 Stream error detected. Session: org.jivesoftware.openfire.session.LocalIncomingServerSession@e72f0c status: 1 address: jabber.remotedomain.com/930ffb7 id: 930ffb7
java.lang.RuntimeException: Delegated task threw Exception/Error
at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(Unknown Source)
at javax.net.ssl.SSLEngine.unwrap(Unknown Source)
at org.jivesoftware.openfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.java:211)
at org.jivesoftware.openfire.net.TLSStreamHandler.start(TLSStreamHandler.java:157)
at org.jivesoftware.openfire.net.SocketConnection.startTLS(SocketConnection.java:165)
at org.jivesoftware.openfire.net.SocketReadingMode.negotiateTLS(SocketReadingMode.java:72)
at org.jivesoftware.openfire.net.BlockingReadingMode.readStream(BlockingReadingMode.java:126)
at org.jivesoftware.openfire.net.BlockingReadingMode.run(BlockingReadingMode.java:62)
at org.jivesoftware.openfire.net.SocketReader.run(SocketReader.java:119)
at java.lang.Thread.run(Unknown Source)
Caused by: java.lang.NullPointerException
at com.sun.net.ssl.internal.ssl.HandshakeMessage$CertificateRequest.<init>(Unknown Source)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(Unknown Source)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Unknown Source)
at org.jivesoftware.openfire.net.TLSStreamHandler.doTasks(TLSStreamHandler.java:314)
at org.jivesoftware.openfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.java:224)
... 7 more
2007.12.10 14:02:37 Closing session due to incorrect hostname in stream header. Host: remotedomain.com. Connection: org.jivesoftware.openfire.net.SocketConnection@12eabae socket: Sockethttp://addr=/22.22.22.22,port=1547,localport=5269 session: null

Now, all domain names are correct, all resolution happens just fine on the public DNS from both servers, and all ports are forwarded correctly. I’ll keep my eye on this thread for any updates, but since it’s working in 3.4.1, I don’t consider it critical to my operation.