Openfire-3.8.1-1 Oracle Linux SSL Only s2s

Hello,

I am trying to get working s2s connection on tls only with other xmpp servers

What i have:

Only Incoming connection working. Outgoing are not. (one remote server have self sing certificate instaled other is jabber.org)

I have only RSA certificate which is sign by trusted ca.

My config options:

xmpp.socket.ssl.active true

xmpp.server.tls.enabled true

xmpp.server.dialback.enabled false

xmpp.server.certificate.accept-selfsigned true

xmpp.server.dialback.enabled false

xmpp.domain domain.com

xmpp.domain domain.com

sasl.mechs PLAIN, EXTERNAL

Certificates:

RSA only,

jre/bin/keytool -keystore ./resources/security/keystore -list

Keystore type: JKS

Keystore provider: SUN

Your keystore contains 1 entry

talamasca, Apr 8, 2013, PrivateKeyEntry,

Certificate fingerprint (MD5): something here

made by:

openssl pkcs12 -export -in commercial.crt -inkey commercial.key -out nowy.p12 -name talamasca -CAfile commercial_ca.crt -caname root

keytool -importkeystore -destkeystore keystore -srckeystore /home/cnav/talamasca/gotowe/nowy.p12 -srcstoretype PKCS12 -alias talamasca

errors during connection:

2013.04.08 21:57:19 org.apache.mina.filter.executor.ExecutorFilter - Exiting since queue is empty for /83.144.74.202:51288

2013.04.08 21:57:19 org.jivesoftware.openfire.server.OutgoingSessionPromise - OutgoingSessionPromise: Error sending packet to remote server (fast discard):

5

2013.04.08 21:57:19 org.jivesoftware.openfire.net.ServerTrustManager - Verifying certificate chain…

2013.04.08 21:57:19 org.jivesoftware.openfire.net.ServerTrustManager - Certificate 3 issuer: ‘CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL’ subject: ‘CN=StartCom Class 2 Primary Intermediate Server CA, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL’

2013.04.08 21:57:19 org.jivesoftware.openfire.net.ServerTrustManager - Certificate 2 issuer: ‘CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL’ subject: ‘CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL’

2013.04.08 21:57:19 org.jivesoftware.openfire.session.LocalOutgoingServerSession - LocalOutgoingServerSession: Handshake error while creating secured outgoing session to remote server: jabber.org(DNS lookup: hermes.jabber.org:5269)

javax.net.ssl.SSLHandshakeException: General SSLEngine problem

at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Unknown Source)

at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source)

at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(Unknown Source)

at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(Unknown Source)

at javax.net.ssl.SSLEngine.wrap(Unknown Source)

at org.jivesoftware.openfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.jav a:274)

at org.jivesoftware.openfire.net.TLSStreamHandler.start(TLSStreamHandler.java:168)

at org.jivesoftware.openfire.net.SocketConnection.startTLS(SocketConnection.java:1 82)

at org.jivesoftware.openfire.session.LocalOutgoingServerSession.secureAndAuthentic ate(LocalOutgoingServerSession.java:430)

at org.jivesoftware.openfire.session.LocalOutgoingServerSession.createOutgoingSess ion(LocalOutgoingServerSession.java:343)

at org.jivesoftware.openfire.session.LocalOutgoingServerSession.authenticateDomain (LocalOutgoingServerSession.java:167)

at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.sendPa cket(OutgoingSessionPromise.java:261)

at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.run(Ou tgoingSessionPromise.java:238)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)

at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(Unknown Source)

at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)

at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)

at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)

at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)

at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)

at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Unknown Source)

at org.jivesoftware.openfire.net.TLSStreamHandler.doTasks(TLSStreamHandler.java:32 5)

at org.jivesoftware.openfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.jav a:235)

… 10 more

Caused by: java.security.cert.CertificateException: subject/issuer verification failed of [conference.jabber.org, jabber.org]. In certificate 2 of the chain, I expected the issuer to be ‘CN=StartCom Class 2 Primary Intermediate Server CA, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL’ but was ‘CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL’.

at org.jivesoftware.openfire.net.ServerTrustManager.checkServerTrusted(ServerTrust Manager.java:140)

… 18 more

2013.04.08 22:02:01 org.jivesoftware.openfire.net.ServerTrustManager - Verifying certificate chain…

2013.04.08 22:02:01 org.jivesoftware.openfire.net.ServerTrustManager - Certificate 1 issuer: ‘EMAILADDRESS=admin@daath.pl, CN=.daath.pl, O=daath, ST=Mazowieckie, C=PL’ subject: 'EMAILADDRESS=admin@daath.pl, CN=.daath.pl, O=daath, ST=Mazowieckie, C=PL’

2013.04.08 22:02:01 org.jivesoftware.openfire.net.ServerTrustManager - Verifying certificate chain root certificate…

2013.04.08 22:02:01 org.jivesoftware.openfire.net.ServerTrustManager - Verifying certificate chain validity (by date)…

2013.04.08 22:02:01 org.jivesoftware.openfire.session.LocalOutgoingServerSession[‘daath.pl’] - TLS negotiation was successful.

2013.04.08 22:02:01 org.jivesoftware.openfire.session.LocalOutgoingServerSession[‘daath.pl’] - Offering dialback functionality: false

2013.04.08 22:02:01 org.jivesoftware.openfire.session.LocalOutgoingServerSession[‘daath.pl’] - Offering EXTERNAL SASL: true

2013.04.08 22:02:01 org.jivesoftware.openfire.session.LocalOutgoingServerSession[‘daath.pl’] - Is using a self-signed certificate: true

2013.04.08 22:02:01 org.jivesoftware.openfire.session.LocalOutgoingServerSession[‘daath.pl’] - As remote server is using self-signed certificate, SASL EXTERNAL is skipped. Attempting dialback over TLS instead.

2013.04.08 22:02:01 org.jivesoftware.openfire.session.LocalOutgoingServerSession[‘daath.pl’] - Trying to connecting using dialback over TLS.

2013.04.08 22:02:01 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Sent dialback key to host: daath.pl id: 210962183 from domain: talamasca.pl

2013.04.08 22:02:01 org.jivesoftware.openfire.net.BlockingAcceptingMode - Connect Socket[addr=/213.216.102.210,port=16259,localport=5269]

2013.04.08 22:02:02 org.jivesoftware.openfire.net.BlockingReadingMode - Connection closed before session establishedSocket[addr=/213.216.102.210,port=16259,localport=5269]

2013.04.08 22:02:34 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/83.144.74.202:51288] unwrap()

2013.04.08 22:02:34 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/83.144.74.202:51288] inNetBuffer: java.nio.DirectByteBuffer[pos=0 lim=58 cap=16665]

2013.04.08 22:02:34 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/83.144.74.202:51288] appBuffer: java.nio.DirectByteBuffer[pos=0 lim=33330 cap=33330]

2013.04.08 22:02:34 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/83.144.74.202:51288] Unwrap res:Status = OK HandshakeStatus = NOT_HANDSHAKING

bytesConsumed = 29 bytesProduced = 0

2013.04.08 22:02:34 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/83.144.74.202:51288] inNetBuffer: java.nio.DirectByteBuffer[pos=29 lim=58 cap=16665]

2013.04.08 22:02:34 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/83.144.74.202:51288] appBuffer: java.nio.DirectByteBuffer[pos=0 lim=33330 cap=33330]

2013.04.08 22:02:34 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/83.144.74.202:51288] Unwrap res:Status = OK HandshakeStatus = NOT_HANDSHAKING

bytesConsumed = 29 bytesProduced = 1

2013.04.08 22:02:34 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/83.144.74.202:51288] inNetBuffer: java.nio.DirectByteBuffer[pos=58 lim=58 cap=16665]

2013.04.08 22:02:34 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/83.144.74.202:51288] appBuffer: java.nio.DirectByteBuffer[pos=1 lim=33330 cap=33330]

2013.04.08 22:02:34 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/83.144.74.202:51288] Unwrap res:Status = BUFFER_UNDERFLOW HandshakeStatus = NOT_HANDSHAKING

bytesConsumed = 0 bytesProduced = 0

2013.04.08 22:02:34 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/83.144.74.202:51288] appBuffer: java.nio.DirectByteBuffer[pos=0 lim=1 cap=33330]

2013.04.08 22:02:34 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/83.144.74.202:51288] app data read: HeapBuffer[pos=0 lim=1 cap=1: 0A] (0A)

2013.04.08 22:02:34 org.apache.mina.filter.executor.ExecutorFilter - Launching thread for /83.144.74.202:51288

2013.04.08 22:02:34 org.apache.mina.filter.executor.ExecutorFilter - Exiting since queue is empty for /83.144.74.202:51288

2013.04.08 22:02:47 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/91.213.162.152:33709] Data Read:

2013.04.08 22:02:47 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/91.213.162.152:33709] unwrap()

2013.04.08 22:02:47 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/91.213.162.152:33709] inNetBuffer: java.nio.DirectByteBuffer[pos=0 lim=58 cap=16665]

2013.04.08 22:02:47 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/91.213.162.152:33709] appBuffer: java.nio.DirectByteBuffer[pos=0 lim=33330 cap=33330]

2013.04.08 22:02:47 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/91.213.162.152:33709] Unwrap res:Status = OK HandshakeStatus = NOT_HANDSHAKING

bytesConsumed = 29 bytesProduced = 0

2013.04.08 22:02:47 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/91.213.162.152:33709] inNetBuffer: java.nio.DirectByteBuffer[pos=29 lim=58 cap=16665]

2013.04.08 22:02:47 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/91.213.162.152:33709] appBuffer: java.nio.DirectByteBuffer[pos=0 lim=33330 cap=33330]

2013.04.08 22:02:47 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/91.213.162.152:33709] Unwrap res:Status = OK HandshakeStatus = NOT_HANDSHAKING

bytesConsumed = 29 bytesProduced = 1

2013.04.08 22:02:47 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/91.213.162.152:33709] inNetBuffer: java.nio.DirectByteBuffer[pos=58 lim=58 cap=16665]

2013.04.08 22:02:47 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/91.213.162.152:33709] appBuffer: java.nio.DirectByteBuffer[pos=1 lim=33330 cap=33330]

2013.04.08 22:02:47 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/91.213.162.152:33709] Unwrap res:Status = BUFFER_UNDERFLOW HandshakeStatus = NOT_HANDSHAKING

bytesConsumed = 0 bytesProduced = 0

2013.04.08 22:02:47 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/91.213.162.152:33709] appBuffer: java.nio.DirectByteBuffer[pos=0 lim=1 cap=33330]

2013.04.08 22:02:47 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/91.213.162.152:33709] app data read: HeapBuffer[pos=0 lim=1 cap=1: 0A] (0A)

2013.04.08 22:02:47 org.apache.mina.filter.executor.ExecutorFilter - Launching thread for /91.213.162.152:33709

2013.04.08 22:02:47 org.apache.mina.filter.executor.ExecutorFilter - Exiting since queue is empty for /91.213.162.152:33709

And when i turn on dialback:

xmpp.server.dialback.enabled true

i get those errors:

2013.04.08 22:14:38 org.jivesoftware.openfire.net.ServerTrustManager - Verifying certificate chain root certificate…

2013.04.08 22:14:38 org.jivesoftware.openfire.net.ServerTrustManager - Verifying certificate chain validity (by date)…

2013.04.08 22:14:38 org.jivesoftware.openfire.session.LocalOutgoingServerSession[‘daath.pl’] - TLS negotiation was successful.

2013.04.08 22:14:38 org.jivesoftware.openfire.session.LocalOutgoingServerSession[‘daath.pl’] - Offering dialback functionality: false

2013.04.08 22:14:38 org.jivesoftware.openfire.session.LocalOutgoingServerSession[‘daath.pl’] - Offering EXTERNAL SASL: true

2013.04.08 22:14:38 org.jivesoftware.openfire.session.LocalOutgoingServerSession[‘daath.pl’] - Is using a self-signed certificate: true

2013.04.08 22:14:38 org.jivesoftware.openfire.session.LocalOutgoingServerSession[‘daath.pl’] - As remote server is using self-signed certificate, SASL EXTERNAL is skipped. Attempting dialback over TLS instead.

2013.04.08 22:14:38 org.jivesoftware.openfire.session.LocalOutgoingServerSession[‘daath.pl’] - Trying to connecting using dialback over TLS.

2013.04.08 22:14:38 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Sent dialback key to host: daath.pl id: 3157452682 from domain: talamasca.pl

2013.04.08 22:16:38 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Time out waiting for answer in validation from: daath.pl id: 3157452682 for domain: talamasca.pl

2013.04.08 22:16:38 org.jivesoftware.openfire.session.LocalOutgoingServerSession[‘daath.pl’] - Dialback over TLS failed

2013.04.08 22:16:38 org.jivesoftware.openfire.session.LocalOutgoingServerSession - LocalOutgoingServerSession: OS - Going to try connecting using server dialback with: daath.pl

2013.04.08 22:16:38 org.jivesoftware.openfire.server.OutgoingServerSocketReader - OutgoingServerSocketReader: Finishing Outgoing Server Reader. No session to close.

java.net.SocketException: Socket closed

at java.net.SocketInputStream.socketRead0(Native Method)

at java.net.SocketInputStream.read(Unknown Source)

at org.jivesoftware.openfire.net.ServerTrafficCounter$InputStreamWrapper.read(Serv erTrafficCounter.java:221)

at java.nio.channels.Channels$ReadableByteChannelImpl.read(Unknown Source)

at org.jivesoftware.openfire.net.TLSStreamReader.doRead(TLSStreamReader.java:78)

at org.jivesoftware.openfire.net.TLSStreamReader.access$000(TLSStreamReader.java:3 6)

at org.jivesoftware.openfire.net.TLSStreamReader$1.read(TLSStreamReader.java:171)

at sun.nio.cs.StreamDecoder.readBytes(Unknown Source)

at sun.nio.cs.StreamDecoder.implRead(Unknown Source)

at sun.nio.cs.StreamDecoder.read(Unknown Source)

at java.io.InputStreamReader.read(Unknown Source)

at org.xmlpull.mxp1.MXParser.fillBuf(MXParser.java:2992)

at org.xmlpull.mxp1.MXParser.more(MXParser.java:3046)

at org.jivesoftware.openfire.net.MXParser.more(MXParser.java:373)

at org.jivesoftware.openfire.net.MXParser.nextImpl(MXParser.java:85)

at org.xmlpull.mxp1.MXParser.nextToken(MXParser.java:1100)

at org.dom4j.io.XMPPPacketReader.parseDocument(XMPPPacketReader.java:317)

at org.jivesoftware.openfire.server.OutgoingServerSocketReader$1.run(OutgoingServe rSocketReader.java:105)

2013.04.08 22:16:38 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Trying to connect to daath.pl:5269(DNS lookup: daath.pl:5269)

2013.04.08 22:16:38 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Connection to daath.pl:5269 successful

2013.04.08 22:16:38 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Sent dialback key to host: daath.pl id: 593371312 from domain: talamasca.pl

Do you have any suggestions ?

I seem to be running into very similar issues. I’m wondering if you ever got this solved on your end? If so, what did you do?

My S2S connections between openfire servers are secured, no issues.

jabber.org plainly fails, completely, similar error messages you get in your log.

Another jabber server (jabber.at) works for me when I set it to optional, and just like you see, I get inbound connections encrypted and outbound not encrypted.

Connectivity to google.com (for GTalk) doesn’t encrypt either direction for me.

Yes, i found the solution,

i added rootca and interca to truststore

neith:/opt/openfire # jre/bin/keytool -import -trustcacerts -alias

root -file ~/talamasca/gotowe/jabber/rootca -keystore

./resources/security/truststore

neith:/opt/openfire # jre/bin/keytool -import -trustcacerts -alias

interca -file ~/talamasca/gotowe/jabber/interca -keystore

./resources/security/truststore

And i have all my certificates in keystore, rootca, interca, mydomaincert

neith:/opt/openfire # jre/bin/keytool -list -keystore

./resources/security/keystore -v | egrep ‘Certificate[|Owner:|Issuer:’

Certificate[1]:

Owner: CN=*.talamasca.pl, OU=Domain Control Validated

Issuer: CN=AlphaSSL CA - G2, O=AlphaSSL

Certificate[2]:

Owner: CN=AlphaSSL CA - G2, O=AlphaSSL

Issuer: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE

Certificate[3]:

Owner: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE

Issuer: CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE

After this it is working for both sides. It seems that truststore has

old version of this certs.

Still if u have any problems, i will sugest update trustore by external

certs.