I had 3.4.1 running more or less smoothly, and this morning I installed the update to 3.4.2. I have two Windows 2003 servers, a home office and a satellite office. The primary reason I set up the two servers is that I require encrypted communications between the two offices. I don’t need or want outside servers to be able to talk to them. I set up the two servers on each other’s whitelists and installed self-signed certificates on each server. Under 3.4.1, I fought with it for a while, and had to set the server property xmpp.server.certificate.verify to false, but after I did that it was working fine.
When I installed the 3.4.2 update, I couldn’t communicate to people on the other server. My client (Trillian) returns a message “Unable to deliver message. Server reports (404)(none)”. I have encryption set to required. If I turn off encryption, it works fine, so I’m pretty sure the problem is isolated to something with SSL. SSL seems to work fine with everything else. Clients connect with no problems (that is also set to required) and my admin interface works on SSL. (Although it generates an expected certificate warning.)
I tried deleting and re-generating certificates on both sides. I tried creating certificates using openSSL. I tried using the old-fashioned keytool method. I deleted the keystore and re-installed openfire. I can’t think of anything else that could be causing it to fail. In the server logs, I get the following messages:
On the local side (initiator) I get this in the error.log:
2007.12.10 15:02:34 [org.jivesoftware.openfire.session.LocalOutgoingServerSession.createOutgoingSession(LocalOutgoingServerSession.java:338) ] Error creating secured outgoing session to remote server: jabber.remotedomain.com(DNS lookup: jabber.remotedomain.com:5269) javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection? at com.sun.net.ssl.internal.ssl.EngineInputRecord.bytesInCompletePacket(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(Unknown Source) at javax.net.ssl.SSLEngine.unwrap(Unknown Source) at org.jivesoftware.openfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.java:211) at org.jivesoftware.openfire.net.TLSStreamHandler.start(TLSStreamHandler.java:157) at org.jivesoftware.openfire.net.SocketConnection.startTLS(SocketConnection.java:165) at org.jivesoftware.openfire.session.LocalOutgoingServerSession.secureAndAuthenticate(LocalOutgoingServerSession.java:369) at org.jivesoftware.openfire.session.LocalOutgoingServerSession.createOutgoingSession(LocalOutgoingServerSession.java:302) at org.jivesoftware.openfire.session.LocalOutgoingServerSession.authenticateDomain(LocalOutgoingServerSession.java:143) at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.sendPacket(OutgoingSessionPromise.java:205) at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.run(OutgoingSessionPromise.java:185) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source)
On the remote side, I get this in the warn.log:
2007.12.10 14:02:36 Stream error detected. Session: org.jivesoftware.openfire.session.LocalIncomingServerSession@e72f0c status: 1 address: jabber.remotedomain.com/930ffb7 id: 930ffb7 java.lang.RuntimeException: Delegated task threw Exception/Error at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(Unknown Source) at javax.net.ssl.SSLEngine.unwrap(Unknown Source) at org.jivesoftware.openfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.java:211) at org.jivesoftware.openfire.net.TLSStreamHandler.start(TLSStreamHandler.java:157) at org.jivesoftware.openfire.net.SocketConnection.startTLS(SocketConnection.java:165) at org.jivesoftware.openfire.net.SocketReadingMode.negotiateTLS(SocketReadingMode.java:72) at org.jivesoftware.openfire.net.BlockingReadingMode.readStream(BlockingReadingMode.java:126) at org.jivesoftware.openfire.net.BlockingReadingMode.run(BlockingReadingMode.java:62) at org.jivesoftware.openfire.net.SocketReader.run(SocketReader.java:119) at java.lang.Thread.run(Unknown Source) Caused by: java.lang.NullPointerException at com.sun.net.ssl.internal.ssl.HandshakeMessage$CertificateRequest.<init>(Unknown Source) at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(Unknown Source) at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(Unknown Source) at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source) at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Unknown Source) at org.jivesoftware.openfire.net.TLSStreamHandler.doTasks(TLSStreamHandler.java:314) at org.jivesoftware.openfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.java:224) ... 7 more 2007.12.10 14:02:37 Closing session due to incorrect hostname in stream header. Host: remotedomain.com. Connection: org.jivesoftware.openfire.net.SocketConnection@12eabae socket: Sockethttp://addr=/188.8.131.52,port=1547,localport=5269 session: null
Obviously, domains and IP addresses are obfuscated above. The real domains are correct, and can resolve correctly from either side of the connection. Also, the IP address in the last line of the remote warn.log is the correct IP address for the server.
On both firewalls, I have ports 5222, 7777 and 5269 forwarded to the server. Although I didn’t have them before, I created SRV records on both DNS servers for TCP ports 5222 and 5269.
Thank you very much in advance, and any help would be greatly appreciated. These are production servers, and I can’t think of anything else to try.