javax.net.ssl.SSLException: Unsupported record version Unknown-102.97

Hi all,

my openfire (3.6.2 debian) is unable to establish a connection to another openfire (3.6.1) via ssl. I get the following error messages:

2008.11.27 21:09:44 [org.jivesoftware.openfire.session.LocalOutgoingServerSession.createOutgoingSes sion(LocalOutgoingServerSession.java:360)] Error creating secured outgoing session to remote server: xxx.org(DNS lookup: xxx.org:5269)
javax.net.ssl.SSLException: Unsupported record version Unknown-102.97
at com.sun.net.ssl.internal.ssl.EngineInputRecord.bytesInCompletePacket(EngineInpu tRecord.java:97)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:748 )
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:663)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:566)
at org.jivesoftware.openfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.jav a:214)
at org.jivesoftware.openfire.net.TLSStreamHandler.start(TLSStreamHandler.java:160)
at org.jivesoftware.openfire.net.SocketConnection.startTLS(SocketConnection.java:1 69)
at org.jivesoftware.openfire.session.LocalOutgoingServerSession.secureAndAuthentic ate(LocalOutgoingServerSession.java:391)
at org.jivesoftware.openfire.session.LocalOutgoingServerSession.createOutgoingSess ion(LocalOutgoingServerSession.java:305)
at org.jivesoftware.openfire.session.LocalOutgoingServerSession.authenticateDomain (LocalOutgoingServerSession.java:144)
at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.sendPa cket(OutgoingSessionPromise.java:239)
at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.run(Ou tgoingSessionPromise.java:216)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java: 650)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:675)
at java.lang.Thread.run(Thread.java:595)

I have already set xmpp.server.certificate.verif=false, but i also think that checking " Accept self-signed certificates. Server dialback over TLS is now available." in the Security Settings Tab has the same effect.

Whats wrong here? This looks like a very old issue.

Regards

Flow

Hey Flow,

What’s the error on the other Openfire server? With that information we will know which part of the certificate was not valid to the other server. Enable the debug log to get more information too.

Regards,

– Gato

Looks like a problem with TLS dialback:

debug log from the other server:

2008.11.28 14:08:30 ServerDialback: RS - Received dialback key from host: myopenfire.de to: otheropenfire.org
2008.11.28 14:08:30 ServerDialback: RS - Trying to connect to Authoritative Server: myopenfire.de:5269(DNS lookup: myopenfire.de:5269)
2008.11.28 14:08:34 session 607 timeout
2008.11.28 14:08:34 session 607 sent message PNG

debug log from my server:

2008.11.28 12:30:47 LocalOutgoingServerSession: OS - Trying to connect to otheropenfire.org:5269(DNS lookup: otheropenfire.org:5269)
2008.11.28 12:30:47 LocalOutgoingServerSession: OS - Plain connection to otheropenfire.org:5269 successful
2008.11.28 12:30:47 LocalOutgoingServerSession: OS - Indicating we want TLS to otheropenfire.org
2008.11.28 12:30:47 LocalOutgoingServerSession: OS - Negotiating TLS withotheropenfire.org
2008.11.28 12:30:48 LocalOutgoingServerSession: OS - Going to try connecting using server dialback with: otheropenfire.org
2008.11.28 12:30:49 ServerDialback: OS - Trying to connect to otheropenfire.org:5269(DNS lookup: otheropenfire.org:5269)
2008.11.28 12:30:49 ServerDialback: OS - Connection to otheropenfire.org:5269 successful
2008.11.28 12:30:49 ServerDialback: OS - Sent dialback key to host: otheropenfire.org id: 3be3f18f from domain: myopenfire.de

I think the DNS lookup for myopenfire.de is wrong. Because i run the openfire on an other host, via a SRV RR openfire.myopenfire.de:5926 via _xmpp-server._tcp.myopenfire.de in the zone file.

Could this be the reason?