Dear All,
We have an Openfire server with around 2,500 users that has been running fine except that at times we have suffered connectivity problems from the Android XMPP client IMO (https://imo.im/).
Currently anyone trying to access our Openfire server from IMO will get an “Incorrect username and/or password” error (even after typing correct credentials).
Although the SSL certificate seem to be properly installed (and other apps work fine: Spark, Pidgin, Adium, Messages, iChat, IM+, etc…) there might be something that’s not fully compatible with IMO and we would like to find out. We’ve contacted IMO in the past to no avail so we’re trying to do the debuging from our end.
Information about our environment:
- OS: CentOS 6.4 x86_64
- DB: MySQL 5.1.69
- Security settings: same results with “Optional” and “Required” on http://our-server:9090/ssl-settings.jsp
- Server certs: 1 RSA signed by a CA and valid and 2 self signed (we tried deleting the self-signed but they seem to be valid)
- sasl.mechs: CRAM-MD5,DIGEST-MD5,PLAIN,EXTERNAL,ANONYMOUS
This is the error shown on warn.log every time someone tries to connect from IMO:
2013.08.01 11:07:04 org.jivesoftware.openfire.nio.NIOConnection - Error retrieving client certificates of: org.jivesoftware.openfire.session.LocalClientSession@22d8cce3 status: 1 address: im.music-group.com/24bb33c4 id: 24bb33c4 presence:
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(Unknown Source)
at org.jivesoftware.openfire.nio.NIOConnection.getPeerCertificates(NIOConnection.j ava:168)
at org.jivesoftware.openfire.net.SASLAuthentication.doExternalAuthentication(SASLA uthentication.java:528)
at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java :245)
at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:179)
at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandl er.java:181)
at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived (AbstractIoFilterChain.java:570)
at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)
at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)
at org.apache.mina.common.IoFilterAdapter.messageReceived(IoFilterAdapter.java:80)
at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)
at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)
at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimplePr otocolDecoderOutput.java:58)
at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecF ilter.java:185)
at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)
at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)
at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java :239)
at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(Execut orFilter.java:283)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:51)
at java.lang.Thread.run(Unknown Source)
Debugging through openssl shows:
$ openssl s_client -connect im.our-company.com:5222 -starttls xmpp
CONNECTED(00000003)
$ openssl s_client -connect im.our-company.com:5223
CONNECTED(00000003)
depth=2 /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
Certificate chain
0 s:/O=.our-company.com/OU=Domain Control Validated/CN=.our-company.com
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
2 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
3 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com//www.valicert.com//emailAddress=info@valicert.com
4 s:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com//www.valicert.com//emailAddress=info@valicert.com
i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com//www.valicert.com//emailAddress=info@valicert.com
Server certificate
-----BEGIN CERTIFICATE-----
MIIFaTCCBFGgAwIBAgIHJ6S+kkNpJTANBgkqhkiG9w0BAQUFADCByjELMAkGA1UE
BhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAY
BgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMTMwMQYDVQQLEypodHRwOi8vY2VydGlm
aWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkxMDAuBgNVBAMTJ0dvIERhZGR5
IFNlY3VyZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTERMA8GA1UEBRMIMDc5Njky
ODcwHhcNMTIwNDI2MDkyODAyWhcNMTQwNDI2MDkyODAyWjBbMRowGAYDVQQKFBEq
Lm11c2ljLWdyb3VwLmNvbTEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh
dGVkMRowGAYDVQQDFBEqLm11c2ljLWdyb3VwLmNvbTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBALrxJVPpzsSLT3/BljIB/3D1/r+tgkRrVJPRI0Nr21//
lbi9ScFx/anqR/eRaOBsSDGfwmiPDLlbifwWS1vvqZ+InvC7+KMPc4isz5ZaFJF+
CcIdjnXBSE2r745UIxbBfS/MXJkphpWL5YdbWz7+AT2GdZCO7PCkH+12v+oGBU8L
D5R4ALOZM7gvIoyDC0lEQaiJL18iVkbtADTkqgLVuteis06jv5qRzjdVEIUfCs3L
LyjeG3TkuSH5JOu4j+V8uzl1Arigcl3p5zbJSmLXGiMnUlznNbuHASMzE8qthKNL
fj11ac4BZXil5z/2BMTvTfD91iMqNn7GFE5NXZEN6p0CAwEAAaOCAcAwggG8MA8G
A1UdEwEB/wQFMAMBAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4G
A1UdDwEB/wQEAwIFoDAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmdvZGFk
ZHkuY29tL2dkczEtNjguY3JsMFMGA1UdIARMMEowSAYLYIZIAYb9bQEHFwEwOTA3
BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBv
c2l0b3J5LzCBgAYIKwYBBQUHAQEEdDByMCQGCCsGAQUFBzABhhhodHRwOi8vb2Nz
cC5nb2RhZGR5LmNvbS8wSgYIKwYBBQUHMAKGPmh0dHA6Ly9jZXJ0aWZpY2F0ZXMu
Z29kYWRkeS5jb20vcmVwb3NpdG9yeS9nZF9pbnRlcm1lZGlhdGUuY3J0MB8GA1Ud
IwQYMBaAFP2sYTKTbEXW4u6FX5q653aZaMznMC0GA1UdEQQmMCSCESoubXVzaWMt
Z3JvdXAuY29tgg9tdXNpYy1ncm91cC5jb20wHQYDVR0OBBYEFKT0/40ZBR6z2ckT
+n2lPejVOlNDMA0GCSqGSIb3DQEBBQUAA4IBAQCJ3A8Uo11DqzRyWBZjYmvqeBho
D/QhA1N1iiha7GQ7V68ffZ59S3w+Q/nWFfs2RVa/ltgIlxz8olzyGRuMD2/hqFWV
KAcvpc8cMAMkx5XEVMb+PapKZqJ0ipN2M0qC9WFypuGJMrRAvVXF9lDKYNUXQdTi
2zRFc5MJBAejZm5zdGJsUnY2GXnSHkfAL26VXvYWeWHVJnHY6SxzhC7XqGR+OmAv
TZjMTnMltE1wEf6II7uZ1t/nqkzq8PZzuav18ars198eyQKLQJ/7w60YmXN47M84
Pl78+RihrlhvViNXi05Ar7tcbk67bF2cQEymgiwEAIcJg17ZVk87CCx53iUk
-----END CERTIFICATE-----
subject=/O=.our-company.com/OU=Domain Control Validated/CN=.our-company.com
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287
No client certificate CA names sent
SSL handshake has read 6412 bytes and written 288 bytes
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : EDH-RSA-DES-CBC3-SHA
Session-ID: 51F9FCC1BCD22236448D7E1907E3B860F6D6F5C2A8456172D0E5B15A19EC6FE1
Session-ID-ctx:
Master-Key: B3632F67DB3D522D98E345A20C8360D5E4701034EBC7EAEE11577316B607A01E190133E890CE907 C2EB2BCEFF034B72C
Key-Arg : None
Start Time: 1375337798
Timeout : 300 (sec)
Verify return code: 0 (ok)
I’ve been researching online but did not find much stuff related to this. Could anyone recommend next troubleshooting steps or links to relevant documentation? I’ve already read the following (to no avail):
http://www.igniterealtime.org/builds/openfire/docs/latest/documentation/ssl-guid e.html
Thank you so much