Encrypted s2s not working

Markus_Reitt · May 16, 2007, 7:16pm

I’‘m trying to get encrypted s2s working (with xmpp.server.certificate.verify=false), but I had no luck so far connecting to any host via TLS. I’'m using a cacert.org Class 3 cert, but not even hosts with the same cert-class open up an encrypted connection. I used openfire itself to create the csr, so the certificates should be just fine.

Log looks like this for jabber.org (almost identical to all other hosts):

2007.05.16 21:01:15 OS - Trying to connect to jabber.org:5269(DNS lookup: jabber.org:5269)

2007.05.16 21:01:15 OS - Plain connection to jabber.org:5269 successful

2007.05.16 21:01:15 OS - Indicating we want TLS to jabber.org

2007.05.16 21:01:15 OS - Negotiating TLS with jabber.org

2007.05.16 21:01:16 OS - TLS negotiation with jabber.org was successful

2007.05.16 21:01:16 OS - Error, no SASL mechanisms were offered by jabber.org

2007.05.16 21:01:16 OS - Going to try connecting using server dialback with: jabber.org

2007.05.16 21:01:16 OS - Trying to connect to jabber.org:5269(DNS lookup: jabber.org:5269)

2007.05.16 21:01:16 OS - Connection to jabber.org:5269 successful

2007.05.16 21:01:16 OS - Sent dialback key to host: jabber.org id: 2850154573 from domain: domain.com

2007.05.16 21:01:17 Connect Socket[addr=/208.245.212.98,port=49117,localport=5269]

2007.05.16 21:01:17 RS - Received dialback key from host: jabber.org to: domain.com

2007.05.16 21:01:17 RS - Trying to connect to Authoritative Server: jabber.org:5269(DNS lookup: jabber.org:5269)

2007.05.16 21:01:17 RS - Connection to AS: jabber.org:5269 successful

2007.05.16 21:01:17 RS - Asking AS to verify dialback key for idca2e5204

2007.05.16 21:01:17 RS - Key was VERIFIED by the Authoritative Server for: jabber.org

2007.05.16 21:01:17 RS - Closing connection to Authoritative Server: jabber.org

2007.05.16 21:01:17 RS - Sending key verification result to OS: jabber.org

2007.05.16 21:01:17 AS - Verifying key for host: jabber.org id: 2850154573

2007.05.16 21:01:17 AS - Key was: VALID for host: jabber.org id: 2850154573

2007.05.16 21:01:17 OS - Validation GRANTED from: jabber.org id: 2850154573 for domain: domain.com

2007.05.16 21:02:12 EXCEPTION

java.net.SocketTimeoutException: Read timed out

Markus_Reitt · May 17, 2007, 1:12pm

And another example: The remote host “totalueberwachung.de” is able to connect via TLS to hosts I only get plain working with (no “lock-sign”), although his certificate is self-signed and not even valid anymore (so this is not a trust-problem on my side).

Any ideas whatsoever? It’'s really annoying to not get TLS working for s2s.

2007.05.17 15:02:12 OS - Trying to connect to totalueberwachung.de:5269(DNS lookup: totalueberwachung.de:5269)

2007.05.17 15:02:12 OS - Plain connection to totalueberwachung.de:5269 successful

2007.05.17 15:02:12 OS - Indicating we want TLS to totalueberwachung.de

2007.05.17 15:02:12 OS - Negotiating TLS with totalueberwachung.de

2007.05.17 15:02:12 OS - TLS negotiation with totalueberwachung.de was successful

2007.05.17 15:02:13 OS - Error, no SASL mechanisms were offered by totalueberwachung.de

2007.05.17 15:02:13 OS - Going to try connecting using server dialback with: totalueberwachung.de

2007.05.17 15:02:13 OS - Trying to connect to totalueberwachung.de:5269(DNS lookup: totalueberwachung.de:5269)

2007.05.17 15:02:13 OS - Connection to totalueberwachung.de:5269 successful

2007.05.17 15:02:13 OS - Sent dialback key to host: totalueberwachung.de id: m099ob79kx42w0tmuhfo829ephmmb7fy7o7wzf5k from domain: domain.com

2007.05.17 15:02:13 AS - Verifying key for host: totalueberwachung.de id: m099ob79kx42w0tmuhfo829ephmmb7fy7o7wzf5k

2007.05.17 15:02:13 AS - Key was: VALID for host: totalueberwachung.de id: m099ob79kx42w0tmuhfo829ephmmb7fy7o7wzf5k

2007.05.17 15:02:13 OS - Validation GRANTED from: totalueberwachung.de id: m099ob79kx42w0tmuhfo829ephmmb7fy7o7wzf5k for domain: domain.com

2007.05.17 15:02:14 SubjectAltName of invalid type found: [

Markus_Reitt · May 18, 2007, 5:08pm

This is what jabberd says to the connection. Something seems to be seiously broken in openfire:

May 18 08:56:24 bob jabberd14[3777]: 20070518T06:56:24:

(s2s-8.jabber.ccc.de): connected to domain.com (unencrypted, no

certificate, auth=db, stream=preXMPP)