S2s 2.5.0 won''t establish a connection - self-signed certificate problems?

We did an upgrade from the latest 2.4 to 2.5.0 via the linux rpm and s2s is no longer working. We are using the default certificates that come with the installation, but TLS is complaining that it can’‘t verify their authenticity. The fall back to plain doesn’'t seem to work with a report the the connection is closed before the session is established. Both ends are running 2.5.0.

Hey William,

Sorry to hear that you are having trouble after upgrading to 2.5.0. You can set any of the following system properties to control certificates validation. Possible values are true or false.

xmpp.server.certificate.verify[/b] --> When false certificates are not going to be validated and they are going to be assumed valid. Default value is true.

xmpp.server.certificate.verify.chain[/b] --> When false the certificates chain is not validated. In other words, the entity that says that a certificate is valid is not validated. Default value is true.

xmpp.server.certificate.verify.chain[/b] --> When false the certificates chain is not validated. In other words, the entity that says that a certificate is valid is not validated. Default value is true.

xmpp.server.certificate.verify.root[/b] --> When false the Certificate Authority that signed the root certificate is not validated. The CA that validates root certificates should be present in truststore file. Default value is true.

xmpp.server.certificate.accept-selfsigned[/b] --> When true self-signed certificates are considered valid. Default value is false.

xmpp.server.certificate.verify.validity[/b] --> When false checking for expired certificates is not done. Default value is true.

Since you are using self-signed certificates I would recommend setting the system property xmpp.server.certificate.verify.root to false or the other option is to set xmpp.server.certificate.accept-selfsigned to true. Once you have set these values there is no need to restart the server and s2s should proceed fine.

Anyway, the fallback method that is server dialback should be working fine. You may want to enable the debug log and post the debugged information as well as warning or errors that you might have in the logs (if you are still having problems).

Regards,

– Gato

Update. When we tried connects this morning, messages were going through - no changes that I know of happened on either end (or in the middle for that matter). However messages that were sent in the downtime were apparently lost. I’'ll try setting the accept-selfsigned true and see if that changes anything. Thanks.