Setup: Openfire 3.7.0 Beta and Prosody (0.8 nightly from a couple weeks ago, but confirmed on 0.6.1 and 0.7)
s2s encryption: required
Openfire cert: self-signed (default)
Prosody cert: GoDaddy with bundled intermediates (4 certs in certfile)
s2s connection succeeds from Prosody to Openfire. However, it appears that when Openfire tries to establish a TLS connection to Prosody, it doesn’t know how to handle the chained certificates presented. If the certificate file contains only the first cert, the connection succeeds. However, this has the unfortunate side effect of producing validation warnings to clients (as the cert doesn’t chain properly).
I think there may be a bug in the way Openfire processes certificates from remote systems when there are intermediates involved.
Reproduced on two different systems.
Server options tried:
xmpp.server.certificate.accept-selfsigned = true
xmpp.server.certificate.verify = false
xmpp.server.certificate.verify.chain = false
xmpp.server.certificate.verify.root = false
xmpp.server.certificate.verify.validity = false