Openfire 3.10 TLS woes + Messaging broken

We are running Openfire on Ubuntu 12.04 LTS at the moment. We use TLS with a CA signed certificate (Root+Intermediate).

Openfire 3.9.3 continues to work for us. Openfire 3.10.0 is a complete and total bust.

Java is:

java version “1.7.0_79”

OpenJDK Runtime Environment (IcedTea 2.5.5) (7u79-2.5.5-0ubuntu0.12.04.1)

OpenJDK 64-Bit Server VM (build 24.79-b02, mixed mode)

We use Psi 0.14 clients as 0.15 clients and Psi+ have never been able to successfully connect to openfire. We were hoping that 3.10.0 finally fixed it.

Neither Psi 0.14 nor Psi 0.15 will connect to Openfire 3.10.0. The error displayed is “TLS Handshake Error.” Enabling old-style SSL on port 5223 allows clients to connect which is not a good solution.

However, even after connecting, clients cannot exchange messages. XML debug shows messages sent correctly, but they are not acknowledged by openfire. Presence works fine. Web admin works fine, etc.

We rolled back to 3.9.3. As much as I’d like to totally blame this on Psi it seems that plenty of other clients are having issues as well.

I guess Dave has filed this ticket yesterday [OF-907] SSLv2 Hello is rejected; prevents some clients connecting - Jive Software Open Source related to your issue. In the description he writes, that some clients use outdated SSLv2 Hello. This may be true as Psi 15 is more that 2 years old. I think i’ve heard something about Psi+ in the past, but didn’t pay attention. Will give it a try.

I’m running a bunch of different clients on my test box (including Psi 15) and i had no problems connecting and messaging on Openfire 3.10.0 with any of them. The only problem recently was Spark 2.6.3. But 2.7.0 works fine (as well as Psi, Jitsi, Gajim, Pidgin, Instantbird and even old outdated Exodus). Maybe this works for me because i’m using self-signed certificates generated by Openfire, or maybe because my server runs on Windows. Don’t know. I have a setting requiring TLS and have SSL disabled for Clients Connection.

Anyway, will add a link of this thread to a ticket.

I have tried Psi+ on the same PC i have Psi 15 working and it couldn’t connect. But it worked on another machine (VM). So, maybe they can’t coexist or try using same settings or registry.

Very good; thank you for taking the time. The symptom here is the immediate dialog “TLS Handshake Error” from Psi 0.14, and from Psi 0.15 and Psi+ (current build) the symptom is the client making an apparent connection attempt forever. I will try installing a test server on a windows box and see if it makes a difference.

I really doubt that signed/self signed makes that much of a difference. We are using only an RSA certificate, but I did try with a DSA as well and it did not make any difference.

The fact that messaging did not work but presence did work when connecting with Legacy SSL was strange, but I’ll chalk this up as a secondary issue pending figuring out the first a little more clearly.

3.10.1 has been released. Psi+ still couldn’t connect for me on the same machine with regular Psi. But Spark 2.6.3 now can connect.