powered by Jive Software

Openfire 4.3.2 and Spark 2.6.3

Spark 2.8.3 and Openfire 4.3.2 work well. But because we have some clients hang with Spark 2.8.3, they wanted to install Spark 2.6.3 (Judging by the forum, it works with Windows 10 and laptops well). But I can not connect to the Server, write the wrong password or login. Here is the log from the server.

Log:
2019.04.04 09:47:20 org.jivesoftware.openfire.nio.ConnectionHandler - Closing connection due to exception in session: (0x0000012C: nio socket, server, /172.16.1.153:62574 => /172.16.3.12:5223)
javax.net.ssl.SSLHandshakeException: SSL handshake failed.
at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:487) [mina-core-2.0.7.jar:?]
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:417) [mina-core-2.0.7.jar:?]
at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilterChain.java:47) [mina-core-2.0.7.jar:?]
at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:765) [mina-core-2.0.7.jar:?]
at org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:74) [mina-core-2.0.7.jar:?]
at org.apache.mina.core.session.IoEvent.run(IoEvent.java:63) [mina-core-2.0.7.jar:?]
at org.apache.mina.filter.executor.OrderedThreadPoolExecutor$Worker.runTask(OrderedThreadPoolExecutor.java:769) [mina-core-2.0.7.jar:?]
at org.apache.mina.filter.executor.OrderedThreadPoolExecutor$Worker.runTasks(OrderedThreadPoolExecutor.java:761) [mina-core-2.0.7.jar:?]
at org.apache.mina.filter.executor.OrderedThreadPoolExecutor$Worker.run(OrderedThreadPoolExecutor.java:703) [mina-core-2.0.7.jar:?]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_191]
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1521) ~[?:1.8.0_191]
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528) ~[?:1.8.0_191]
at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1197) ~[?:1.8.0_191]
at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1165) ~[?:1.8.0_191]
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469) ~[?:1.8.0_191]
at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:578) ~[mina-core-2.0.7.jar:?]
at org.apache.mina.filter.ssl.SslHandler.messageReceived(SslHandler.java:351) ~[mina-core-2.0.7.jar:?]
at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:468) ~[mina-core-2.0.7.jar:?]
… 9 more
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:1.8.0_191]
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1647) ~[?:1.8.0_191]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:318) ~[?:1.8.0_191]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:306) ~[?:1.8.0_191]
at sun.security.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:1127) ~[?:1.8.0_191]
at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:814) ~[?:1.8.0_191]
at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:221) ~[?:1.8.0_191]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) ~[?:1.8.0_191]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:970) ~[?:1.8.0_191]
at sun.security.ssl.Handshaker$1.run(Handshaker.java:967) ~[?:1.8.0_191]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_191]
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459) ~[?:1.8.0_191]
at org.apache.mina.filter.ssl.SslHandler.doTasks(SslHandler.java:759) ~[mina-core-2.0.7.jar:?]
at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:544) ~[mina-core-2.0.7.jar:?]
at org.apache.mina.filter.ssl.SslHandler.messageReceived(SslHandler.java:351) ~[mina-core-2.0.7.jar:?]
at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:468) ~[mina-core-2.0.7.jar:?]
… 9 more

One of the reason of releasing 2.7.0 version of Spark 4 years ago was problems with 2.6.3 connecting to new versions of Openfire. 2.6.3 is very old and doesn’t support newest SSL methods. As your SSL policy is optional, you can try disable SSL in Spark. But I don’t remember from the top of my head if you can do that, probably not. And this would be not secure. You can try enabling Old SSL in Advanced settings on login screen. Keep in mind that this will use 5223 port. You can also try 2.7.7 version. Maybe it won’t hang. https://github.com/igniterealtime/Spark/releases/tag/v2.7.7

I see you marked this as solved. What worked for you exactly? :slight_smile:

Btw, i have just tried to login with 2.6.3 from my test machine to 4.3.2 server and it worked. Didn’t have to do anything.

I also just went to the Openfire 4.3.2 test server.
The problem is most likely due to the fact that on the main Openfire server we have SSO…
System Properties:

sasl.gssapi.config /etc/openfire/gss.conf
sasl.gssapi.debug true
sasl.gssapi.useSubjectCredsOnly False
sasl.mechs.00001 EXTERNAL
sasl.mechs.00002 PLAIN
sasl.mechs.00003 SCRAM-SHA-1
sasl.mechs.00004 ANONYMOUS
sasl.mechs.00005 DIGEST-MD5
sasl.mechs.00006 NTLM
sasl.mechs.00007 CRAM-MD5
sasl.mechs.00008 GSSAPI
sasl.mechs.00009 JIVE-SHAREDSECRET
sasl.realm COLEMAN.LOCAL
sasl.scram-sha-1.iteration-count 4096
savepassandautologin.enabled true

/etc/openfire/gss.conf

com.sun.security.jgss.accept {
com.sun.security.auth.module.Krb5LoginModule
required
storeKey=true
keyTab="/usr/share/openfire/resources/openfire.keytab"
doNotPrompt=true
useKeyTab=true
realm=“COLEMAN.LOCAL” principal=“xmpp/srv-chat.coleman.local@COLEMAN.LOCAL”
debug=true;
};

/etc/krb5.conf

[libdefaults]
default_realm = COLEMAN.LOCAL
default_keytab_name = /usr/share/openfire/resources/openfire.keytab
default_tkt_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
default_tgs_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5
permitted_enctypes = rc4-hmac des3-cbc-sha1 des-cbc-crc des-cbc-md5

[realms] COLEMAN.LOCAL = { kdc = srvdc3.coleman.local kdc = srvdca1.coleman.local
admin_server = srvdc3.coleman.local
default_domain = coleman.local
}
[domain_realms]
domain.com = COLEMAN.LOCAL
.domain.com = COLEMAN.LOCAL

Ah, i haven’t ever used SSO with Spark. It might have some other nuances. Well, then you can try using Old SSL or 2.7.7 version.

Ols SSL and port 5222 or 5223 dont work.(Spark 2.6.3 and Spark 2.7.7)
2.7.7 will not connect (wrong username and password)

Well, i don’t have any other suggestion. Btw, these logs are from Openfire. But you can also check Spark logs:
C:\Users\User\AppData\Roaming\Spark\logs
There is a bunch of files, look through all of them and select events that correlate with the time of your issue.

i think rc4 is disable in windows 10… and des has been deprecated for a while, you’ll need to regenerate your keytab file and update your encryption types. aes-128, (avoid 256 as it requires an additional java library (google jce unlimited strength)

logs from Spark: first log - Disable OLD SSL, second log - enable OLD SSL+port 5223.
But If used Spark 2.8.3 and Spark 2.9.0 - normally connect, the problem is in the old Spark version and SSO enabled.

04.04.2019 20:51:05 org.jivesoftware.spark.util.log.Log warning
WARNING: Exception in Login:
No response from the server.:
at org.jivesoftware.smack.NonSASLAuthentication.authenticate(NonSASLAuthentication.java:73)
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java:362)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)
at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)
at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)
at java.lang.Thread.run(Unknown Source)
05.04.2019 10:23:53 org.jivesoftware.spark.util.log.Log warning
WARNING: Exception in Login:
Connection failed. No response from server.:
at org.jivesoftware.smack.PacketReader.startup(PacketReader.java:119)
at org.jivesoftware.smack.XMPPConnection.initConnection(XMPPConnection.java:568)
at org.jivesoftware.smack.XMPPConnection.connectUsingConfiguration(XMPPConnection.java:527)
at org.jivesoftware.smack.XMPPConnection.connect(XMPPConnection.java:953)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1009)
at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)
at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)
at java.lang.Thread.run(Unknown Source)

If used Spark 2.8.3 and Spark 2.9.0 - normally connect, the problem is in the old Spark version and SSO enabled. Im tested on Windows 7 and Windows 10

Completely guessing here, but there is such plugin for Openfire https://www.igniterealtime.org/projects/openfire/plugin-archive.jsp?plugin=nonSaslAuthentication
Maybe it will do something.

Dont work this plugin, i was installing the version 1.0,0 and 1.0.1 shapshot Mar 30.

And I tried with OLD SSL and 5223 port. OLD SSL and port 5222. just OLD SSL and just port 5223.

Probably have to wait for version 2.9.0 which is unknown when it comes out and whether it will work well with laptops on Windows 10.

Openfire server settings are not changed. settings as in the screenshot(post №1):

05.04.2019 18:10:29 org.jivesoftware.spark.util.log.Log warning
WARNING: Exception in Login:
Server does not support compatible authentication mechanism.:
at org.jivesoftware.smack.NonSASLAuthentication.authenticate(NonSASLAuthentication.java:95)
at org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java:362)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:203)
at org.jivesoftware.LoginDialog$LoginPanel.login(LoginDialog.java:1014)
at org.jivesoftware.LoginDialog$LoginPanel.access$1200(LoginDialog.java:219)
at org.jivesoftware.LoginDialog$LoginPanel$4.construct(LoginDialog.java:730)
at org.jivesoftware.spark.util.SwingWorker$2.run(SwingWorker.java:141)
at java.lang.Thread.run(Unknown Source)

yeah, when or even whether… i’m filing more and more issues every day, but there is no developer to fix them

Found a solution to this problem.
It was necessary to perform step 7-8 of this article.

But it’s not interesting that only SSO authorization works.

1 Like