Openfire can't use port 7443 (after update 4.2.3 --> 4.3.2)

Hello All;
I update Openfire 4.2.3 to version 4.3.2 and the use of 7443 port stop.

In this port I had running inVerse pluging using the URL https://jabber.gtm.onat.gob.cu:7443/inverse/ and after the update I can not used this URL anymore, I had to change it to http://gtmmi.gtm.onat.gob.cu:7070/inverse/ because the 7443 port had no access.

Yesterday I install the Openfire Meetings, that use the 7443 port to, and the URL https://jabber.gtm.onat.gob.cu:7443/ofmeet had no access.

When I try to access to this address the Firefox browser says:

“”"Conexión segura fallida

Ha ocurrido un error al conectar con jabber.gtm.onat.gob.cu:7443. No se puede comunicar de forma segura con la otra parte: no hay algoritmos de cifrado comunes. Código de error: SSL_ERROR_NO_CYPHER_OVERLAP"""

I use the self-signed certificates created for the Openfire.

In Openfire 4.2.3 (and previous version) the Openfire self-signed certificates are created both RSA and DSA, after update 4.3.2 the DSA certificates are not created. Is this the cause of the 7443 port access failed?

Any suggestion to work around? How I can fix this situations?

Thank a lot for helping me.

Hello all;
I update to Openfire 4.4.0 and the problem still be there. Is impossible to use any plugin that use the 7443 port; for example, inVerse and Openfire Meetings.

When I been using the Openfire version 4.2.3, I use the inVerse plugin with no problem in 7443 port, after update to version 4.3.2 this is impossible.

I use selft-signed certificate created by the Openfire. In the logs I can not find nothing usable or interest.

Any suggestion or any idea to fix this problem.

Thank in advance.

inverse works for me on 4.4.0 and port 7443. Also using self-signed certs.

Hello wroot; thank for answer me;

then, is possible that my problem is because the installation of this Openfire came from version 4.0.1? I mean, this Openfire was installed in that version first (4.0.1), then 4.1.4, 4.1.6, 4.2.1, 4.2.3, 4.3.2 and now 4.4.0. Maybe some old configuration that is not used anymore?

The operating system is CentOS 7.6 and always use the openfire-x.x.x.x86_64.rpm version, using the command “rpm --upgrade openfire-x.x.x.x86_64.rpm”

Can’t say what is happening in your case. But i am updating to every new version and even betas and alphas for 10+ years and it works for me. So i just wanted to point out that this is not an universal problem and this is something specific to your case. Check if these ports are actually listening (with netstat -a or other command).

Hello wroot;
I use three command to probe the port: nmap, netcat y telnet

nmap:

[root@gtmmi ~]# nmap 127.0.0.1 -p 7443

Starting Nmap 6.40 ( http://nmap.org ) at 2019-07-18 14:51 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000040s latency).
PORT STATE SERVICE
7443/tcp open oracleas-https

Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds
[root@gtmmi ~]# nmap 127.0.0.1 -p 7070

Starting Nmap 6.40 ( http://nmap.org ) at 2019-07-18 14:51 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000033s latency).
PORT STATE SERVICE
7070/tcp open realserver

Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds

[root@gtmmi ~]# nmap 192.168.14.3 -p 7443

Starting Nmap 6.40 ( http://nmap.org ) at 2019-07-18 14:53 EDT
Nmap scan report for gtmmi.gtm.onat.gob.cu (192.168.14.3)
Host is up (0.000029s latency).
PORT STATE SERVICE
7443/tcp open oracleas-https

Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds

[root@gtmmi ~]# nmap 192.168.14.3 -p 7070

Starting Nmap 6.40 ( http://nmap.org ) at 2019-07-18 14:53 EDT
Nmap scan report for gtmmi.gtm.onat.gob.cu (192.168.14.3)
Host is up (0.000036s latency).
PORT STATE SERVICE
7070/tcp open realserver

Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds

netcat:

[root@gtmmi ~]# nc -zv 192.168.14.3 7443
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.14.3:7443.
Ncat: 0 bytes sent, 0 bytes received in 0.04 seconds.

[root@gtmmi ~]# nc -zv 192.168.14.3 7070
Ncat: Version 7.50 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.14.3:7070.
Ncat: 0 bytes sent, 0 bytes received in 0.01 seconds.

telnet:

[root@gtmmi ~]# telnet 192.168.14.3 7443
Trying 192.168.14.3…
Connected to 192.168.14.3.
Escape character is ‘^]’.
^]
telnet> quit
Connection closed.
[root@gtmmi ~]# telnet 192.168.14.3 7070
Trying 192.168.14.3…
Connected to 192.168.14.3.
Escape character is ‘^]’.
^]
telnet> quit
Connection closed.

In all probe the port (both 7070 and 7443) are open. The test was done from the openfire PC and remote, but just show the openfire PC results.

The problem is not of port open or close, the problem is about secure connections.

This is what the Firefox browser says:

Conexión segura fallida

Ha ocurrido un error al conectar con jabber.gtm.onat.gob.cu:7443. No se puede comunicar de forma segura con la otra parte: no hay algoritmos de cifrado comunes. Código de error: SSL_ERROR_NO_CYPHER_OVERLAP

This is what the Chromium says:

Este sitio no puede proporcionar una conexión segura

jabber.gtm.onat.gob.cu utiliza un protocolo no compatible.

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Protocolo no compatible

El cliente y el servidor no admiten un conjunto de cifrado o una versión de protocolo SSL en común.

(sorry but both are in Spanish)

Thank for the attention.

Hello all;
testing I made 2 new certificates using this command line:

keytool -genkeypair -keystore keystore -validity 1825 -alias gtmmi.gtm.onat.gob.cu_dsa -keyalg DSA

keytool -genkeypair -keystore keystore -validity 1825 -alias gtmmi.gtm.onat.gob.cu_rsa -keyalg RSA

But when I look in the administration web interface this two certificates are marked with the status of “Verification pending”


How can put the status in Seft-Signed like the certificates that are made with the adminstration web interfaces:

I just want to probe that the impossibilities of use the port 7443 is because there is not DSA certificates.

Thank for your attention,
Rommel

Hello Rommel,

did you fix the issue? I am having similar (or the same) problem: HTTP file upload problem
And no, having a valid DSA certificate does not help.

Edit: fixed, see the link to my thread.

Hello JoHnY2;
sorry the delay in answer.
I have deleted the self-signed certificates a few times and created them again using the graphic interface and still the problem remains.
You tell me that you deleted it from identity storage and solve your problem; but there I just have one self-signed certificate, the one that are using the Openfire server and users.

I still have the problem.

This is what I have in the identity storage. The certificate is a Letsencrypt certificate and it works fine.

I previously had a big problem when upgrading from quite old version of Openfire (4.0.something if I remember correctly), every time I tried to upgrade, the openfire just didn’t listen neither on jabber ports or at the admin interface. I had to go through the initial setup and setting up the database connection (didn’t have to completely remove the database though, so basically all settings and users and everything was the same as before). I think I would try that in your case, if nothing else will help.

Thank for your answer;
this is a production server, so I must take a little care on it :slight_smile: but I think that I will have to make a clean installation and then import the database… I don’t know if this will work (and really don’t know how to do it).
I can’t have any CA signed certificate, so… I must keep with self-signed ones.

Rommel

It shouldn’t have a problem with a self signed certificate so I guess you’ll have to try the reinstallation. It’s no big deal, depends on if you are using mysql database or built-in one, when using the built-in one, you just copy the database, when using sql database, you just input login credentials during setup and it will load all the settings from there.
Just one more note, as I was stuck for a while there, I am using MySQL database and I wasn’t able to go through the final step of the installation, it complained that it couldn’t access the database, although username, password and URL of the database were correct. I found that it was some java timezone issue and I had to add serverTimezone=UTC after the server URL.
The complete setting in /etc/openfire/openfire.xml looks like this now:

jdbc:mysql://localhost:3306/jabber?useUnicode=true&characterEncoding=UTF-8&characterSetResults=UTF-8&serverTimezone=UTC

The encoding stuff I put there to fix another issue, whenever someone sent an offline message, the special characters like “ščťž” etc. were replaced with question marks.

Thank for the answer…
I have been configured the java timezone as you say.
My Openfire server is working fine; my only issue is that I can’t no use 7443 port, just this problem and is a pitty to reinstall it for just that.

Again, thank for your answers.
Rommel

I have the same problem a long time ago, any solution for this? Without having to reinstall openfire ???

No, ninguna solución, lo que tuve que hacer fue instalar Openfire desde cero y si no recuerdo mal, utilicé la opción de Exportar e Importar usuarios y desde ahí obtuve los usuarios desde la vieja instalación a la nueva.