powered by Jive Software

Login issues since Spark 2.8.0

As Spark 2.8.0 is using the latest version of Smack (4.x), it became obvious that many users are having incorrect setups. Some are using IP address to login to the server, some use server’s hostname, which doesn’t match their Openfire server’s xmpp domain name. As Smack 4.x is more secure, it is not allowing a connection when TLS certificate seems invalid. This is not a bug, but a security improvement in Smack and Spark which should have been there from the beginning. One can workaround this, by rolling back to 2.7.7 version (which is still using 4 years old Smack 3.x version). But starting with Openfire 4.1.0 you might hit the same problem again, because of changes in this Openfire version. So, we encourage users to fix their setups instead.

How it works:

Say you have a PC called “Junk”. You install Openfire on it. When going through web setup it usually suggest calling your domain the same - “Junk”. But say you change it to “MyIMserver”. You create a user “john”. In XMPP username consists of username@domain. So in that case you should be logging into Openfire with john@myimserver. But that won’t automatically work, if you have no DNS with that name pointing to your “Junk” machine. More so, when Openfire is finishing its setup it automatically generates TLS certificates with the domain name, in our case - myimserver. If you want to login to a server in a client using secure encrypted TLS connection, a client is checking certificates provided by the server and it checks if domain name matches, if certificate is not expired, etc. So if you are trying to login with john@IP or john@junk, it will see that certificate is for the myimserver domain, but you are trying to login to junk or some 192.168.1.1 server. This is not matching and the client (Spark in this case) is protecting you from malicious connection.

What to do:

You have to use your Openfire’s domain name as a server in the client. Spark currently has no visual GUI to let your add an exception like internet browsers do, so it silently drops the connection. There are two ways:

  1. DNS - the best way is to have some sort of DNS and add an entry there, which should point myimserver name to that PC. Say CNAME or HOST A "myimserver’ pointing to 192.168.1.1. DNS is better, because if server’s IP changes, you don’t have to change settings on every client. You just modify the DNS entry.
  2. If you don’t know what DNS is, can’t modify it, etc. You can put myimserver as a Server on Spark’s login screen, then press Advanced button, uncheck Automatically detect host and port. Put 192.168.1.1 into Host field. Make sure that Accept all certificates is checked (this option allows usage of self-signed certificates, which are default ones generated by Openfire). Press OK. Try to login.

You can download older versions of Spark by substituting version number in the download url, say 2.7.7 exe with java: Ignite Realtime: Download Landing

Or you can use 2.8.1 which has an option (in the Advanced menu on the Login screen) to disable certificate hostname verification. But keep in mind that this will make your client vulnerable to certificate spoofing attack.

1 Like

It would be great to explicitly state during installation that the server’s domain name is actually the FQDN and NOT just the DNS domain the server belongs to.

1 Like

Is there a way to change the Openfire server’s hostname if it was set up without the fully qualified domain name? (example: “Host Name: srv-Chat”).

Additionally, can you provide more information on replacing the self-signed certificate with a real SSL certificate?

I have never done this myself, but there is a guide in the documentation (it is probably a bit old) Openfire: SSL Guide

I think the best way of changing Openfire’s xmpp domain name is by rerunning the setup (it shouldn’t harm the database, but as you will specify the new name, it should change all the users, etc. automatically). But i haven’t tried that myself, or have tried this many years ago and can’t say whether it will work with the current version.

Also, i’m not sure about the requirement for FQDN. Maybe, if you want to use it inside and outside of your network. For me just myimserver works just fine in the LAN, when my DNS domain is actually something.local (completely unrelated). I mean, it doesn’t have to be myimserver.local or like that. Most important is that your certificates hostname matches the name (domain) of your Openfire.

When configuring the server, the admin requires to enter a domain name. We entered domain.com. Our server (and DNS A record) is jabber.domain.com. This caused a login problem when we tried Spark 2.8. My comment was regarding the English used during the setup process.

Can’t give a definitive answer to this (a bit out of scope of my expertize). Yes, most of users probably would want to login to chat.domain.com as their main domain.com could be a website/email/etc. But some may want to login to just domain.com and use it as a primary point for their chat server. So, i guess you should put into this field what fits your needs. Although the tooltip suggest using hostname or IP address, which is not right.

In your case you might want to look into SRV records. Say this is what our server here uses Check DNS SRV records for XMPP In Spark i just login to igniterealtime.org (without specifying a connect host) and it takes me to xmpp.igniterealtime.org. Not sure how it will work in LAN (or LAN and NAT/WAN scenarios). Though this would still involve users changing their “Server” from jabber.domain.com to domain.com. But at least they wouldn’t need to disable certificate hostname checking or input connect hostname in the Advanced settings.

My users login with an IP address since most of my users are outside my local network so how do I go about fixing this certificate issue for my scenario?

Second option in this document. Or use 2.7.7, or use test build with disabled certificate hostname checking.

You can also try naming your Openfire server as your IP and generate certificates for such name, but that doesn’t feel right and I’m not sure if this will work. Maybe certificate can’t be issued to an IP, so the check will still fail.

guys, needs help… still invalid username and password problem… i downgraded my spark from 2.8 to 2.7.7…

I can remote config my openfire in browser (wherein, Openfire is a virtual pc). Please help… thankss…

If you are getting such error with 2.7.7 version, then this is a different problem, not related to issue discussed in this document. Post a new topic in the forums and provide information on what you put into server field in Spark and how are you accessing Openfire from the Internet.

There are a couple of “names” that come into play here. Let me elaborate a little:

First, there’s the XMPP domain name. This is the name under which your XMPP domain will be known. users on your domain will get a JID that includes this name. For example, user ‘john’ on XMPP domain ‘example.org’ will have for a JID: ‘john@example.org’.

Second, there’s the fully qualified domain name of the server that is running Openfire. This is a more low-leven network address. Users typically need not know this address. FQDN values can be IP addresses, but you’ll avoid lots of issues when you use a domain name instead (you should prefer “chatserver22.example.org” over “203.0.113.1”).

To illustrate the difference, imagine a cluster of Openfire servers. Each of the servers are part of the same XMPP domain (their XMPP domain name is the same), but each will have a distinct fully qualified domain name.

There are a couple of confusing bits:

  • Terminology in Openfire and Spark is not consistent. Sometimes, “server name” refers to the XMPP domain name, sometimes it refers to the fully qualified domain name of the server.
  • It is perfectly valid for the XMPP domain name and the FQDN of the server to be the same.
  • The implementation of various clients and libraries are gradually being improved, security-wise. This leads to situations in which a configuration worked for older versions of software won’t work any longer after upgrades.
  • Openfire does a poor job of determining its fully qualified domain name of the server (typically, the hostname is used instead).

When you log in with a client (such a Spark), you’ll provide your username and your XMPP domain name: the two parts that make up the JID (some clients ask you for the JID instead of both a username and domain - it’s basically the same thing). A password is provided too, obviously.

Based on the XMPP domain name that you provided, your client will start to determine to what host it needs to connect:

  1. It will attempt to do a DNS SRV lookup, which is a specialized DNS query that is used to determine what servers in a domain provide a particular service (in our case: an XMPP service).
  2. If no DNS SRV records are available, the client will assume that your server is reachable on a network address that is equal to your XMPP domain name.
    In most clients, you can override this routine by explicitly defining a “connect host”. In Spark, you do this by using the “advanced” button on the login screen. There, you’ll be able to disable the automatic detection of the host, and provide one yourself instead.

(Note: the following is true for most Openfire versions up to the one that’s most recent at the time of writing - openfire 4.0.3, but might change in the future): To find out what the configured XMPP domain name and fully qualified domain name of your Openfire server is, log into the admin console. After logging in, they’re both presented on the first page that you see. In the box named “server properties”, there’s a value for “server name”. That’s your XMPP domain name. There’s also a box named “environment”, that has a value for “host name”. That is what Openfire thinks is your fully qualified domain name.

To change the XMPP domain name of your Openfire server, re-run setup. You should generally not do this on a server that has already been in use: the change will affect all registered users - they’ll get new JIDs, which means that they’re not reachable any longer under their old JIDs.

To change the fully qualified domain name of your Openfire server, set (or change) the property “xmpp.fqdn”. You should restart Openfire when you do.

1 Like

Btw, in the current Spark’s code we have already renamed Server field to Domain.

Wroot, eu queria distribuir o client spark na minha rede com a opção “Disable certificate hostname verification” marcada.

Tem algum arquivo que posso configurar e distribuir nos computadores ?

Fabiano, you will have to come up with your own way to do that (instructing users to change that setting, using some sort of script which can insert new setting to a text file). You need to add

DisableHostnameVerification=true

into C:\Users\User\AppData\Roaming\Spark\spark.properties file

Wroot, segui a sua sugestão alterando o arquivo spark.properties e distribuindo via script.

Porém encontrei um outro problema, o campo downloadDirectory, que indica o caminho da pasta onde o Spark guarda os arquivos recebidos. Se eu distribuir o spark.properties via script, todos os computadores vão apontar para o mesmo caminho: downloadDirectory=C:\Users\fabiano\Documents\Downloads.

Tentei algo como %USERPROFILE%\documents\Downloads mas o Spark não reconhece como um caminho válido.

Tem alguma sugestão?

Obrigado.

Just delete that line. Spark will either auto-fill it on its own or will ask user to set a directory when they receive their first file.

I am having the same problem with 2.8.0 using the latest Openfire with Active Directory. If I use SSO, it works fine and logs in, but if I try it manually, I get “invalid username or password.” When using 2.7.7, it logs in just fine. I already have the option “accept all certificates” set but it does nothing.

Furthermore, I have xmpp.domain and xmpp.fqdn both set to the correct parameters, im.mydomain.com, I have DNS setup to resolve im.mydomain.com to the Openfire server, and the certificates in Openfire contain this host name. Other clients like Jitsi do not have any problem logging in.

Its not a big problem for me because I am using SSO, just adding my voice to the choir here.

Thanks for reaching out @Bill Roland. Would it be possible for me to get an account on your domain? That way, I can try for myself and figure out what’s going wrong. Hopefully that will help us address issues like these better. You can find my contact info in my profile.

Bill, Guus - looks like another Bill is having similar problem here Re: Spark 2.8.0 - invalid username/password

Hi,

Apologies, but this is still unclear. Has anyone succeeded in overcoming this issue? On mydomain.com I have on the server,

Server Name: chat
Host Name: mypc

and certificates for *.chat and *.mypc

The actual domain, mydomain.com does not appear to be anywhere in the server settings. In DNS I have records for chat.mydomain.com and mypc.mydomain.com pointing to the server IP address.

Is there any combination on the client that will work in this situation? See this thread for what I have already tried, Spark 2.8 login problem - server.mydomain.com or chat.mydomain.com