powered by Jive Software

Jive 2.3.0 require security + old SSL

I’'ve got Jive 2.3.0 running with “Client Connection Security” set to “required”. Users can connect to port 5222 using TLS, like they should. Users cannot connect to port 5223 using the old SSL method. Is there a possible issue where setting client connection security to “required” is actually requiring TLS on all client connections including the old SSL port?

Update: Some clients actually work fine. I think there is probably no issue regarding the Jive code… PSI works but neither Gaim nor Trillian do.

I get the following exception in the debug log:

2005.11.22 11:10:22 Error creating session

javax.net.ssl.SSLException: Unsupported SSL v2.0 ClientHello

at com.sun.net.ssl.internal.ssl.InputRecord.handleUnknownRecord(InputRecord.java:4 53)

at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:343)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:720)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImp l.java:1025)

at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:67 5)

at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:75)

at sun.nio.cs.StreamDecoder$CharsetSD.readBytes(StreamDecoder.java:411)

at sun.nio.cs.StreamDecoder$CharsetSD.implRead(StreamDecoder.java:453)

at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:183)

at java.io.InputStreamReader.read(InputStreamReader.java:167)

at org.xmlpull.mxp1.MXParser.fillBuf(MXParser.java:2971)

at org.xmlpull.mxp1.MXParser.more(MXParser.java:3025)

at org.xmlpull.mxp1.MXParser.parseProlog(MXParser.java:1410)

at org.xmlpull.mxp1.MXParser.nextImpl(MXParser.java:1395)

at org.xmlpull.mxp1.MXParser.next(MXParser.java:1093)

at org.jivesoftware.messenger.net.SocketReader.createSession(SocketReader.java:488 )

at org.jivesoftware.messenger.net.SocketReader.run(SocketReader.java:106)

at java.lang.Thread.run(Thread.java:595)

I guess I’'ll have to look into this further…

Hey Keith,

Trillian and Gaim (on Windows) require an RSA certificate. By default keytool generates DSA certificates. Make sure that your keystore contains a DSA and RSA certificates. Use the “-keyalg RSA” setting when creating the certificate to create an RSA certificate.

Regards,

– Gato

I am using a single RSA certificate. I have no DSA certs in the keystore. Perhaps Trillian and Gaim use DSA certs? Gaim and Trillian both connect just fine using TLS on port 5222. I had been using Jabberd2 with just an RSA certificate and all clients could connect correctly - maybe Jabberd2 was doing some openssl work to convert the cert? I’'m using the same certificate as I had been with Jabberd2…

I’'ll try converting the cert to DSA assuming I can and importing that to see if it helps…

Well, apparently openssl has no way of converting an RSA key to DSA… I’'ll see if I can get our CA to sign a cert request from a DSA key for me…