Problems with s2s tls dialback and or ssl

Hi there!

I’m having problems with my openfire server connecting to some ejabberd servers of my friends.

When I figured that out we began to troubleshoot the situation, and found some things that we were not able to understand.

First of all, I’m running 3.9.3 on a Ubuntu 14.04.1 LTS Server with openjdk 1.7.0_65.

My certs are from startssl and if I check my server with xmpp.net tests, it gets ranked A / A (client / server tests).

This makes me feel like “the things can’t be that bad”…

However, this is what I got in my Logs when I try to connect to his machine.

I’d like to point out that he also uses startssl! (same issuer, trust shouldn’t be a problem, right?)

2015.01.15 23:14:30 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Ignoring unexpected answer in validation from: DOMAIN_Destination id: 501370331 for domain: MYDOMAIN answer:<stream:features xmlns:stream=“http://etherx.jabber.org/streams”></stream:features>
2015.01.15 23:14:30 org.jivesoftware.openfire.server.ServerDialback - Error verifying key of remote server: DOMAIN_Destination

After stumbling about this error msges we googled a bit and found this thread: (SORRY, ITS IN GERMAN LANGUAGE)

https://www.kernel-error.de/kernel-error-blog/305-jabber-404-remote-server-not-f ound-openfire

The author of the thread describes the same error msges as I have and pins it down to a missing intermediate cert.

However xmpp.net tells me my intermediate cert is there and proper. If I run the command the author pointed out:

openssl s_client -showcerts -connect MYDOMAIN:5222 -starttls xmpp

openssl gives me neither certs nor intermediate certs. (…but this seems to be a bug in openssl)

(can someone verify this with its own openfire server?)

Also, if i check the truststore manually it looks good:

keytool -list -keystore truststore | grep start

startcom.ca.sub.class1, 10.04.2011, trustedCertEntry,

startcom.ca, 10.04.2011, trustedCertEntry,

startcom.ca.sub2, 15.01.2015, trustedCertEntry,

startcom, 30.01.2007, trustedCertEntry,

Any Ideas why I get those error msges?

Any Idea how to fix this behavior?

I’d like to get rid of the “Error verifying key of remote server” and the “ServerDialback: OS - Ignoring unexpected answer” msges.

Kind regards!