powered by Jive Software

Problem Creating secure S2S connection to ejabberd server

I am unable to create a secured connection with a remote ejabberd server. The remote server is able to establish a secured connection with my Openfire 3.6.4 server. With secuity settings set to required, i am unable to establish a connection back to it. With security set to optional, I am able to create a connection, but it is plaintext. I have tried this using both self signed and trusted certificates, both of which fail with the following in the debug log:

2010.05.21 09:03:49 LocalOutgoingServerSession: OS - Trying to connect to remotedomain.com:5269(DNS lookup: jabber.remotedomain.biz:5269)
2010.05.21 09:03:50 LocalOutgoingServerSession: OS - Plain connection to remotedomain.com:5269 successful
2010.05.21 09:03:50 LocalOutgoingServerSession: OS - Indicating we want TLS to remotedomain.com
2010.05.21 09:03:50 LocalOutgoingServerSession: OS - Negotiating TLS with remotedomain.com
2010.05.21 09:03:50 LocalOutgoingServerSession: OS - TLS negotiation with remotedomain.com was successful
2010.05.21 09:03:50 LocalOutgoingServerSession: OS - Error, no SASL mechanisms or SERVER DIALBACK were offered by remotedomain.com
2010.05.21 09:03:50 OutgoingSessionPromise: Error sending packet to remote server:

Available
1

java.lang.Exception: Failed to create connection to remote server
at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.sendPa cket(OutgoingSessionPromise.java:252)
at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.run(Ou tgoingSessionPromise.java:216)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)

And the following in the Warn Log:

2010.05.21 08:14:39 Accepting self-signed certificate of remote server: [Remote Domain]

Has anyone tried to connect to an ejabberd server over a secure connection? Any ideas?

I have the same problem connecting to an ejabberd server I operate. S2S seems to work from openfire servers where security is set to optional, and not when security is set to required.

If anyone running an openfire server requiring s2s security would like to try to connect to my ejabberd the jid is mwbourgeois@mwbourgeois.com

Here’s the status for us:

Server1 = openfire 3.6.4, self signed cert, security is optional and accept self-signed certificates is checked

Server2 = ejabberd 2.1.4, cert signed with cacert.org (but no one really recognizes that CA)

From openfire, the incoming connection is secure but the outgoing connection is not. Ejabberd’s debug log doesnt’ seem to show anything wrong from what I can tell. I’m still thinking it’s something on ejabberd’s side based on the following log entry: “Error, no SASL mechanisms or SERVER DIALBACK were offered by [Server2]”. That leads me to believe that openfire is trying to initiate a secure connection and ejabberd doesn’t respond properly. On the other hand ejabberd may be responding properly but openfire doesn’t understand it.

Only server that’s fully encrypted is to a partner’s server which is running Openfire, and even then it only worked when they changed their security to optional. Only other networks I’ve tested are my own server (server2 above) and gmail. I would think gchat would be encrypted but that’s not showing as being encrypted at all. It may genuinely not offer encryption since gchats servers are probably busy.

For reference here’s my debug log (hid our corporate server’s address though). You’ll first see openfire trying to connect to my server and no ssl, then my server connects to openfire and it’s successfuly encrypted:

2010.07.23 14:37:08 LocalOutgoingServerSession: OS - Trying to connect to vrillusions.com:5269(DNS lookup: rikku.vrillusions.com:5269)
2010.07.23 14:37:08 LocalOutgoingServerSession: OS - Plain connection to vrillusions.com:5269 successful
2010.07.23 14:37:08 LocalOutgoingServerSession: OS - Indicating we want TLS to vrillusions.com
2010.07.23 14:37:08 LocalOutgoingServerSession: OS - Negotiating TLS with vrillusions.com
2010.07.23 14:37:08 LocalOutgoingServerSession: OS - TLS negotiation with vrillusions.com was successful
2010.07.23 14:37:08 LocalOutgoingServerSession: OS - Error, no SASL mechanisms or SERVER DIALBACK were offered by vrillusions.com
2010.07.23 14:37:08 LocalOutgoingServerSession: OS - Going to try connecting using server dialback with: vrillusions.com
2010.07.23 14:37:08 ServerDialback: OS - Trying to connect to vrillusions.com:5269(DNS lookup: rikku.vrillusions.com:5269)
2010.07.23 14:37:08 ServerDialback: OS - Connection to vrillusions.com:5269 successful
2010.07.23 14:37:08 ServerDialback: OS - Sent dialback key to host: vrillusions.com id: 3490001773 from domain: SERVER1
2010.07.23 14:37:08 Connect Socket[addr=/74.207.219.240,port=47852,localport=5269]
2010.07.23 14:37:08 ServerDialback: RS - Received dialback key from host: vrillusions.com to: SERVER1
2010.07.23 14:37:08 ServerDialback: RS - Trying to connect to Authoritative Server: vrillusions.com:5269(DNS lookup: rikku.vrillusions.com:5269)
2010.07.23 14:37:08 ServerDialback: RS - Connection to AS: vrillusions.com:5269 successful
2010.07.23 14:37:08 ServerDialback: RS - Asking AS to verify dialback key for id806c105d
2010.07.23 14:37:08 ServerDialback: RS - Key was VERIFIED by the Authoritative Server for: vrillusions.com
2010.07.23 14:37:08 ServerDialback: RS - Closing connection to Authoritative Server: vrillusions.com
2010.07.23 14:37:08 ServerDialback: RS - Sending key verification result to OS: vrillusions.com
2010.07.23 14:37:08 ServerDialback: AS - Verifying key for host: vrillusions.com id: 3490001773
2010.07.23 14:37:08 ServerDialback: AS - Key was: VALID for host: vrillusions.com id: 3490001773
2010.07.23 14:37:08 ServerDialback: OS - Validation GRANTED from: vrillusions.com id: 3490001773 for domain: SERVER1

If you want to test connecting to my server, I have a bot on there running 24/7 with jid marvin@vrillusions.com (can subscribe, send ‘help’ for list of commands it does)