Client connections to openfire fails with: Caused by: javax.net.ssl.SSLException

itslamar · June 4, 2024, 8:40pm

I am using Openfire version: 4.7.5 with iOS clients.

When iOS clients attempt to connect to openfire, we are running into ssl exceptions. As per out current openfire configuration, STARTTLS policy was set to ‘Required’ with TLSv1.2 as the encryption protocol.

Closing connection due to exception in session: (0x00052A54: nio socket, server, null => 0.0.0.0/0.0.0.0:5222)
org.apache.mina.core.filterchain.IoFilterLifeCycleException: clear(): tls in (0x00052A54: nio socket, server, null => 0.0.0.0/0.0.0.0:5222)
    at org.apache.mina.core.filterchain.DefaultIoFilterChain.clear(DefaultIoFilterChain.java:449) [mina-core-2.1.6.jar:?]
    at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.sessionClosed(DefaultIoFilterChain.java:966) ~[mina-core-2.1.6.jar:?]
    at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextSessionClosed(DefaultIoFilterChain.java:606) [mina-core-2.1.6.jar:?]
Caused by: org.apache.mina.core.filterchain.IoFilterLifeCycleException: onPreRemove(): tls:SslFilter in (0x00052A54: nio socket, server, null => 0.0.0.0/0.0.0.0:5222)
    at org.apache.mina.core.filterchain.DefaultIoFilterChain.deregister(DefaultIoFilterChain.java:487) ~[mina-core-2.1.6.jar:?]
    at org.apache.mina.core.filterchain.DefaultIoFilterChain.clear(DefaultIoFilterChain.java:447) [mina-core-2.1.6.jar:?]
    ... 18 more
Caused by: javax.net.ssl.SSLException: Improper close state: Status = OK HandshakeStatus = NEED_WRAP
bytesConsumed = 0 bytesProduced = 7
    at org.apache.mina.filter.ssl.SslHandler.closeOutbound(SslHandler.java:496) ~[mina-core-2.1.6.jar:?]
    at org.apache.mina.filter.ssl.SslFilter.initiateClosure(SslFilter.java:773) ~[mina-core-2.1.6.jar:?]
    at org.apache.mina.filter.ssl.SslFilter.stopSsl(SslFilter.java:325) ~[mina-core-2.1.6.jar:?]

Once we updated the STARTTLS policy to ‘optional’, the clients are able to connect to openfire, but then the traffic is not encrypted.
Trying to figure out the root cause in this case, and also what needs to be done to get it working with STARTTLS policy= required.

itslamar · June 6, 2024, 5:27pm

some more investigations into this show that these failures happen during the increased loads when clients are logging off and then trying to login again. Assuming its related to load, but still not clear why it would end up with: javax.net.ssl.SSLException: Improper close state: Status = OK HandshakeStatus = NEED_WRAP bytesConsumed = 0 bytesProduced = 7