powered by Jive Software

Openfire 3.4.2 upgrade - SSL problems with server-to-server

Hello,

I had 3.4.1 running more or less smoothly, and this morning I installed the update to 3.4.2. I have two Windows 2003 servers, a home office and a satellite office. The primary reason I set up the two servers is that I require encrypted communications between the two offices. I don’t need or want outside servers to be able to talk to them. I set up the two servers on each other’s whitelists and installed self-signed certificates on each server. Under 3.4.1, I fought with it for a while, and had to set the server property xmpp.server.certificate.verify to false, but after I did that it was working fine.

When I installed the 3.4.2 update, I couldn’t communicate to people on the other server. My client (Trillian) returns a message “Unable to deliver message. Server reports (404)(none)”. I have encryption set to required. If I turn off encryption, it works fine, so I’m pretty sure the problem is isolated to something with SSL. SSL seems to work fine with everything else. Clients connect with no problems (that is also set to required) and my admin interface works on SSL. (Although it generates an expected certificate warning.)

I tried deleting and re-generating certificates on both sides. I tried creating certificates using openSSL. I tried using the old-fashioned keytool method. I deleted the keystore and re-installed openfire. I can’t think of anything else that could be causing it to fail. In the server logs, I get the following messages:

On the local side (initiator) I get this in the error.log:

2007.12.10 15:02:34 [org.jivesoftware.openfire.session.LocalOutgoingServerSession.createOutgoingSession(LocalOutgoingServerSession.java:338)
] Error creating secured outgoing session to remote server: jabber.remotedomain.com(DNS lookup: jabber.remotedomain.com:5269)
javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
at com.sun.net.ssl.internal.ssl.EngineInputRecord.bytesInCompletePacket(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(Unknown Source)
at javax.net.ssl.SSLEngine.unwrap(Unknown Source)
at org.jivesoftware.openfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.java:211)
at org.jivesoftware.openfire.net.TLSStreamHandler.start(TLSStreamHandler.java:157)
at org.jivesoftware.openfire.net.SocketConnection.startTLS(SocketConnection.java:165)
at org.jivesoftware.openfire.session.LocalOutgoingServerSession.secureAndAuthenticate(LocalOutgoingServerSession.java:369)
at org.jivesoftware.openfire.session.LocalOutgoingServerSession.createOutgoingSession(LocalOutgoingServerSession.java:302)
at org.jivesoftware.openfire.session.LocalOutgoingServerSession.authenticateDomain(LocalOutgoingServerSession.java:143)
at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.sendPacket(OutgoingSessionPromise.java:205)
at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.run(OutgoingSessionPromise.java:185)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)

On the remote side, I get this in the warn.log:

2007.12.10 14:02:36 Stream error detected. Session: org.jivesoftware.openfire.session.LocalIncomingServerSession@e72f0c status: 1 address: jabber.remotedomain.com/930ffb7 id: 930ffb7
java.lang.RuntimeException: Delegated task threw Exception/Error
at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(Unknown Source)
at javax.net.ssl.SSLEngine.unwrap(Unknown Source)
at org.jivesoftware.openfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.java:211)
at org.jivesoftware.openfire.net.TLSStreamHandler.start(TLSStreamHandler.java:157)
at org.jivesoftware.openfire.net.SocketConnection.startTLS(SocketConnection.java:165)
at org.jivesoftware.openfire.net.SocketReadingMode.negotiateTLS(SocketReadingMode.java:72)
at org.jivesoftware.openfire.net.BlockingReadingMode.readStream(BlockingReadingMode.java:126)
at org.jivesoftware.openfire.net.BlockingReadingMode.run(BlockingReadingMode.java:62)
at org.jivesoftware.openfire.net.SocketReader.run(SocketReader.java:119)
at java.lang.Thread.run(Unknown Source)
Caused by: java.lang.NullPointerException
at com.sun.net.ssl.internal.ssl.HandshakeMessage$CertificateRequest.<init>(Unknown Source)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.clientHello(Unknown Source)
at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Unknown Source)
at org.jivesoftware.openfire.net.TLSStreamHandler.doTasks(TLSStreamHandler.java:314)
at org.jivesoftware.openfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.java:224)
... 7 more
2007.12.10 14:02:37 Closing session due to incorrect hostname in stream header. Host: remotedomain.com. Connection: org.jivesoftware.openfire.net.SocketConnection@12eabae socket: Sockethttp://addr=/22.22.22.22,port=1547,localport=5269 session: null

Obviously, domains and IP addresses are obfuscated above. The real domains are correct, and can resolve correctly from either side of the connection. Also, the IP address in the last line of the remote warn.log is the correct IP address for the server.

On both firewalls, I have ports 5222, 7777 and 5269 forwarded to the server. Although I didn’t have them before, I created SRV records on both DNS servers for TCP ports 5222 and 5269.

Thank you very much in advance, and any help would be greatly appreciated. These are production servers, and I can’t think of anything else to try.

Hello,

I have problems with s2s-ssl, too.

One of my friends uses openfire 3.4.1 and I upgraded my company’s openfire to 3.4.2.

His users do not show up in my rooster and I found the following stacktrace in error.log:

2007.12.11 10:32:06 [org.jivesoftware.openfire.session.LocalOutgoingServerSession.createOutgoingSes sion(LocalOutgoingSer verSession.java:338)] Error creating secured outgoing session to remote server: moonage.net(DNS lookup: moonage.net:5269 )

javax.net.ssl.SSLException: Unsupported record version Unknown-102.97

    at com.sun.net.ssl.internal.ssl.EngineInputRecord.bytesInCompletePacket(EngineInpu tRecord.java:97)

    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:752 )

    at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:667)

    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:607)

    at org.jivesoftware.openfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.jav a:211)

    at org.jivesoftware.openfire.net.TLSStreamHandler.start(TLSStreamHandler.java:157)

    at org.jivesoftware.openfire.net.SocketConnection.startTLS(SocketConnection.java:1 65)

    at org.jivesoftware.openfire.session.LocalOutgoingServerSession.secureAndAuthentic ate(LocalOutgoingServerSession       .java:369)

    at org.jivesoftware.openfire.session.LocalOutgoingServerSession.createOutgoingSess ion(LocalOutgoingServerSession       .java:302)

    at org.jivesoftware.openfire.session.LocalOutgoingServerSession.authenticateDomain (LocalOutgoingServerSession.ja       va:143)

    at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.sendPa cket(OutgoingSessionPromise.ja       va:205)

    at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.run(Ou tgoingSessionPromise.java:185)

    at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java: 679)

    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:704)

    at java.lang.Thread.run(Thread.java:619)

Well, after beating the heck out of this yesterday, I downgraded to 3.4.1 today. (I don’t admit defeat easily) The downgrade was a straight install of openfire_3_4_1.exe. After downgrading everything works perfectly again with no configuration changes.

That leads me to the inevitable conclusion that this is a bug, unless the setup was SUPPOSED to change. At any rate, I’ll re-post this, along with the error and warning logs in the bugs section. If anyone sees anything that I missed, please feel free to reply. Thanks!

Message was edited by: cmhxaktsoft - fixed some typos

I’m having the same problem following my upgrade to 3.4.2:

2007.12.11 08:00:57 [org.jivesoftware.openfire.session.LocalOutgoingServerSession.createOutgoingSession(LocalOutgoingServerSession.java:338)] Error creating secured outgoing session to remote server: newmajik.com(DNS lookup: newmajik.com:5269)
javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
at com.sun.net.ssl.internal.ssl.EngineInputRecord.bytesInCompletePacket(EngineInputRecord.java:152)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:752)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:667)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:607)
at org.jivesoftware.openfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.java:211)
at org.jivesoftware.openfire.net.TLSStreamHandler.start(TLSStreamHandler.java:157)
at org.jivesoftware.openfire.net.SocketConnection.startTLS(SocketConnection.java:165)
at org.jivesoftware.openfire.session.LocalOutgoingServerSession.secureAndAuthenticate(LocalOutgoingServerSession.java:369)
at org.jivesoftware.openfire.session.LocalOutgoingServerSession.createOutgoingSession(LocalOutgoingServerSession.java:302)
at org.jivesoftware.openfire.session.LocalOutgoingServerSession.authenticateDomain(LocalOutgoingServerSession.java:143)
at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.sendPacket(OutgoingSessionPromise.java:205)
at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.run(OutgoingSessionPromise.java:185)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:885)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:907)
at java.lang.Thread.run(Thread.java:619)

Prior to the upgrade I was able to make outgoing connections to both newmajik.com and myjabber.net.

I’m using a self-signed certificate. Any help greatly appreciated.

thanks,

Colin

I don’t mean to sound ungrateful, because this is a fantastic product that many people don’t pay a dime for. However, if you install 3.4.1 again, I think you’ll find your problems go away. If I had any sort of programming ability, I’d look into it (the program IS open-source) however, I couldn’t code my way out of a wet paper bag.

Hey guys,

Thanks for reporting this problem. Today I will try to reproduce it and check in a fix for the next release.

Thanks,

– Gato

Please let me know if you need any more info to reproduce. I’m certainly not a programmer, and can’t help out on that end, but if I can help out in any other way, that is my contribution.

We were able to reproduce the problem and we are fixing it today. Unfortunately, there is no manual workaround for 3.4.2 so you will need to wait for 3.4.3 that will fix this problem.

Regards,

– Gato

The problems JM-1206 and JM-1207 have been fixed. You can either wait for Openfire 3.4.3 to be released by the end of the month or use the next nightly build version.

Regards,

– Gato

I am a patient man. I’ll wait for 3.4.3. Thanks again!

Did you set verify certificate to false in the system properties?

(you can search these groups for the exact string to enter to accomplish this)