powered by Jive Software

Problems getting secure S2S working - help please?

I’m having trouble getting Openfire S2S working. Some connections (unsecured) work, others don’t (which I assume require TLS).

Hopefully someone can help me with this - I’ve searched already but did not find anything usable.

My setup:

Openfire 3.8.2 on CentOS

CA-signed RSA certificate (StartSSL)

C2S encryption required, no problems there

HTTPS server admin console connection, also no problem. Certificate properly verifies as CA signed.

Unencrypted S2S works as well, ports are available and usable (jabber.at works, jabber.org does not. gmail.com works as well for connectivity with GTalk)

On the S2S screen, none of the connections have a padlock.

Server security is set optional. I tried compression on and off, made no difference.

I guess I must be doing something wrong, but I don’t know what

Any help appreciated.

EDIT:

Strangely enough, creating an alternate account on another Openfire public XMPP server (StartSSL/Openfire), secure connections work straight up with that remote server when exchanging data between the JIDs… Connections established in both directions, Lock is there, no errors or warning in the logs.

I thought it wouldn’t matter what server software people are using - TLS is TLS, after all?

I hope there’s a simple solution to all this. Dealing with certificates is complex enough as it is already without having to deal with interop problems between different server distros :confused:

In the logs:

Info log shows unexpected responses:

2013.08.22 11:59:16 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Ignoring unexpected answer in validation from: jabber.at id: 2581877302 for domain: palemoon.net answer:<stream:features xmlns:stream=“http://etherx.jabber.org/streams”></stream:features>
2013.08.22 12:01:28 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Ignoring unexpected answer in validation from: jabber.org id: 63f00d19fc5ea871 for domain: palemoon.net answer:<stream:features xmlns:stream=“http://etherx.jabber.org/streams”></stream:features>
2013.08.22 12:06:32 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Ignoring unexpected answer in validation from: jabber.org id: 7d4a66855853c119 for domain: palemoon.net answer:<stream:features xmlns:stream=“http://etherx.jabber.org/streams”></stream:features>
2013.08.22 12:09:54 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Ignoring unexpected answer in validation from: jabber.at id: 3104799049 for domain: palemoon.net answer:<stream:features xmlns:stream=“http://etherx.jabber.org/streams”></stream:features>
2013.08.22 12:11:43 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Ignoring unexpected answer in validation from: jabber.org id: 0fcb91a4d07c6d38 for domain: palemoon.net answer:<stream:features xmlns:stream=“http://etherx.jabber.org/streams”></stream:features>
2013.08.22 12:18:56 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Ignoring unexpected answer in validation from: jabber.at id: 656012131 for domain: palemoon.net answer:<stream:features xmlns:stream=“http://etherx.jabber.org/streams”></stream:features>
2013.08.22 12:19:37 org.jivesoftware.util.log.util.CommonsLogFactory - Going to buffer response body of large or unknown size. Using getResponseBodyAsStream instead is recommended.
2013.08.22 12:20:57 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Ignoring unexpected answer in validation from: jabber.org id: 085b058d88ecc8d4 for domain: palemoon.net answer:<stream:features xmlns:stream=“http://etherx.jabber.org/streams”></stream:features>
2013.08.22 12:21:27 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Ignoring unexpected answer in validation from: proxy.eu.jabber.org id: 32b62e714ed4fd69 for domain: palemoon.net answer:<stream:features xmlns:stream=“http://etherx.jabber.org/streams”></stream:features>
2013.08.22 12:23:28 org.jivesoftware.openfire.session.LocalOutgoingServerSession - Error trying to connect to remote server: eu.jabber.org(DNS lookup: eu.jabber.org:5269)
java.net.UnknownHostException: eu.jabber.org
at java.net.PlainSocketImpl.connect(Unknown Source)
at java.net.SocksSocketImpl.connect(Unknown Source)
at java.net.Socket.connect(Unknown Source)
at org.jivesoftware.openfire.session.LocalOutgoingServerSession.createOutgoingSess ion(LocalOutgoingServerSession.java:280)
at org.jivesoftware.openfire.session.LocalOutgoingServerSession.authenticateDomain (LocalOutgoingServerSession.java:208)
at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.sendPa cket(OutgoingSessionPromise.java:261)
at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.run(Ou tgoingSessionPromise.java:238)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
2013.08.22 12:25:29 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Ignoring unexpected answer in validation from: jabber.org id: 39d7f1d4e3bbd04f for domain: palemoon.net answer:<stream:features xmlns:stream=“http://etherx.jabber.org/streams”></stream:features>
2013.08.22 12:33:56 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Ignoring unexpected answer in validation from: jabber.at id: 556503886 for domain: palemoon.net answer:<stream:features xmlns:stream=“http://etherx.jabber.org/streams”></stream:features>
2013.08.22 12:36:31 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Ignoring unexpected answer in validation from: jabber.org id: 64096572f030001f for domain: palemoon.net answer:<stream:features xmlns:stream=“http://etherx.jabber.org/streams”></stream:features>

Debug log for jabber.at (says certificate is not trusted?):

2013.08.22 12:09:54 org.jivesoftware.openfire.session.LocalOutgoingServerSession - LocalOutgoingServerSession: OS - Trying to connect to jabber.at:5269(DNS lookup: jabber.at:5269)
2013.08.22 12:09:54 org.jivesoftware.openfire.session.LocalOutgoingServerSession - LocalOutgoingServerSession: OS - Plain connection to jabber.at:5269 successful
2013.08.22 12:09:54 org.jivesoftware.openfire.session.LocalOutgoingServerSession[‘jabber.at’] - Indicating we want TLS to jabber.at
2013.08.22 12:09:54 org.jivesoftware.openfire.session.LocalOutgoingServerSession[‘jabber.at’] - Negotiating TLS…
2013.08.22 12:09:54 org.jivesoftware.openfire.net.ServerTrustManager - Certificate chain:
2013.08.22 12:09:54 org.jivesoftware.openfire.net.ServerTrustManager - Certificate 1: [
[ Cert details snipped ]
2013.08.22 12:09:54 org.jivesoftware.openfire.net.ServerTrustManager - Certificate 2: [
[ Cert details snipped ]
2013.08.22 12:09:54 org.jivesoftware.openfire.net.ServerTrustManager - Verifying certificate chain…
2013.08.22 12:09:54 org.jivesoftware.openfire.net.ServerTrustManager - Certificate 2 issuer: ‘CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL’ subject: 'CN=StartCom Class 2 Primary Intermediate Server CA, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL’
2013.08.22 12:09:54 org.jivesoftware.openfire.net.ServerTrustManager - Certificate 1 issuer: ‘CN=StartCom Class 2 Primary Intermediate Server CA, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL’ subject: 'EMAILADDRESS=postmaster@jabber.at, CN=.jabber.at, O=Mathias Ertl, L=Vienna, ST=Wien, C=AT, OID.2.5.4.13=5Lt859mGphmFxcuW’
2013.08.22 12:09:54 org.jivesoftware.openfire.net.ServerTrustManager - Verifying certificate chain root certificate…
2013.08.22 12:09:54 org.jivesoftware.openfire.session.LocalOutgoingServerSession - LocalOutgoingServerSession: Handshake error while creating secured outgoing session to remote server: jabber.at(DNS lookup: jabber.at:5269)
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(Unknown Source)
at javax.net.ssl.SSLEngine.wrap(Unknown Source)
at org.jivesoftware.openfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.jav a:274)
at org.jivesoftware.openfire.net.TLSStreamHandler.start(TLSStreamHandler.java:168)
at org.jivesoftware.openfire.net.SocketConnection.startTLS(SocketConnection.java:1 82)
at org.jivesoftware.openfire.session.LocalOutgoingServerSession.secureAndAuthentic ate(LocalOutgoingServerSession.java:433)
at org.jivesoftware.openfire.session.LocalOutgoingServerSession.createOutgoingSess ion(LocalOutgoingServerSession.java:346)
at org.jivesoftware.openfire.session.LocalOutgoingServerSession.authenticateDomain (LocalOutgoingServerSession.java:167)
at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.sendPa cket(OutgoingSessionPromise.java:261)
at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.run(Ou tgoingSessionPromise.java:238)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Unknown Source)
at org.jivesoftware.openfire.net.TLSStreamHandler.doTasks(TLSStreamHandler.java:32 5)
at org.jivesoftware.openfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.jav a:235)
… 10 more
Caused by: java.security.cert.CertificateException: Root certificate (subject: CN=StartCom Class 2 Primary Intermediate Server CA, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL) of [
.jabber.at] not trusted.
at org.jivesoftware.openfire.net.ServerTrustManager.checkServerTrusted(ServerTrust Manager.java:171)
… 18 more
2013.08.22 12:09:54 org.jivesoftware.openfire.session.LocalOutgoingServerSession - LocalOutgoingServerSession: OS - Going to try connecting using server dialback with: jabber.at

Server dialback works, and an unencrypted connection is established.

For jabber.org (which fails completely), seems to want to use TLS dialback which fails:

2013.08.22 12:09:41 org.jivesoftware.openfire.session.LocalOutgoingServerSession - LocalOutgoingServerSession: OS - Trying to connect to jabber.org:5269(DNS lookup: hermes2.jabber.org:5269)
2013.08.22 12:09:41 org.jivesoftware.openfire.session.LocalOutgoingServerSession - LocalOutgoingServerSession: OS - Plain connection to jabber.org:5269 successful
2013.08.22 12:09:41 org.jivesoftware.openfire.session.LocalOutgoingServerSession[‘jabber.org’] - Indicating we want TLS to jabber.org
2013.08.22 12:09:41 org.jivesoftware.openfire.session.LocalOutgoingServerSession[‘jabber.org’] - Negotiating TLS…
2013.08.22 12:09:42 org.jivesoftware.openfire.net.ServerTrustManager - Certificate chain:
2013.08.22 12:09:42 org.jivesoftware.openfire.net.ServerTrustManager - Certificate 1: [
[ snipped ]
2013.08.22 12:09:42 org.jivesoftware.openfire.net.ServerTrustManager - Certificate 2: [
[ snipped ]
2013.08.22 12:09:42 org.jivesoftware.openfire.net.ServerTrustManager - Certificate 3: [
[ snipped ]
2013.08.22 12:09:42 org.jivesoftware.util.CertificateManager - Parsing otherName for subject alternative names: 1.3.6.1.5.5.7.8.5
2013.08.22 12:09:42 org.jivesoftware.util.CertificateManager - … processing DERTaggedObject: [0][0]conference.jabber.org
2013.08.22 12:09:42 org.jivesoftware.util.CertificateManager - Parsing otherName for subject alternative names: 1.3.6.1.5.5.7.8.7
2013.08.22 12:09:42 org.jivesoftware.util.CertificateManager - Ignoring non-XMPP otherName, 1.3.6.1.5.5.7.8.7
2013.08.22 12:09:42 org.jivesoftware.util.CertificateManager - Parsing otherName for subject alternative names: 1.3.6.1.5.5.7.8.5
2013.08.22 12:09:42 org.jivesoftware.util.CertificateManager - … processing DERTaggedObject: [0][0]jabber.org
2013.08.22 12:09:42 org.jivesoftware.util.CertificateManager - Parsing otherName for subject alternative names: 1.3.6.1.5.5.7.8.7
2013.08.22 12:09:42 org.jivesoftware.util.CertificateManager - Ignoring non-XMPP otherName, 1.3.6.1.5.5.7.8.7
2013.08.22 12:09:42 org.jivesoftware.openfire.net.ServerTrustManager - Verifying certificate chain…
2013.08.22 12:09:42 org.jivesoftware.openfire.net.ServerTrustManager - Certificate 3 issuer: ‘CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL’ subject: 'CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL’
2013.08.22 12:09:42 org.jivesoftware.openfire.net.ServerTrustManager - Certificate 2 issuer: ‘CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL’ subject: 'CN=StartCom Class 2 Primary Intermediate Server CA, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL’
2013.08.22 12:09:42 org.jivesoftware.openfire.net.ServerTrustManager - Certificate 1 issuer: ‘CN=StartCom Class 2 Primary Intermediate Server CA, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL’ subject: 'EMAILADDRESS=stpeter@jabber.org, CN=conference.jabber.org, O=J Peter Saint-Andre, L=Parker, ST=Colorado, C=US, OID.2.5.4.13=u4bUqMecBipRWEZy’
2013.08.22 12:09:42 org.jivesoftware.openfire.net.ServerTrustManager - Verifying certificate chain root certificate…
2013.08.22 12:09:42 org.jivesoftware.openfire.net.ServerTrustManager - Verifying certificate chain validity (by date)…
2013.08.22 12:09:42 org.jivesoftware.openfire.session.LocalOutgoingServerSession[‘jabber.org’] - TLS negotiation was successful.
2013.08.22 12:09:42 org.jivesoftware.openfire.session.LocalOutgoingServerSession[‘jabber.org’] - Stream compression not supported by jabber.org
2013.08.22 12:09:42 org.jivesoftware.openfire.session.LocalOutgoingServerSession[‘jabber.org’] - Offering dialback functionality: true
2013.08.22 12:09:42 org.jivesoftware.openfire.session.LocalOutgoingServerSession[‘jabber.org’] - Offering EXTERNAL SASL: false
2013.08.22 12:09:42 org.jivesoftware.openfire.session.LocalOutgoingServerSession[‘jabber.org’] - Is using a self-signed certificate: false
2013.08.22 12:09:42 org.jivesoftware.openfire.session.LocalOutgoingServerSession[‘jabber.org’] - Trying to connecting using dialback over TLS.
2013.08.22 12:09:42 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Sent dialback key to host: jabber.org id: 699b2e71d72af342 from domain: palemoon.net
2013.08.22 12:09:54 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/83.227.4.163:8243] Closed: org.apache.mina.filter.support.SSLHandler@1f98d01
2013.08.22 12:09:54 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/83.227.4.163:8243] Unexpected exception from SSLEngine.closeInbound().
javax.net.ssl.SSLException: Inbound closed before receiving peer’s close_notify: possible truncation attack?

Message was edited by: Moonchild Openfire <-> Openfire seems to work…?

It seems jabber.org issues are caused by jabber.org’s servers at the moment, so the total failure there can be discarded (I briefly had a connection working this morning).

The problem that’s left is actually using secure connections, which either falls back to unencrypted or only one-way… Any ideas?