S2S connection problem

Hello community,

I’m trying to debug a server to server connection issue and need some advice where to look next. I’m hosting OpenFire 4.1.2 on jabber.fbn-dd.de. I’m using Pidgin as client and my final goal is to join a xmpp chat room hosted at chat.c3d2.de using Prosody.

My local server logs told me:

{org.jivesoftware.openfire.session.LocalOutgoingServerSession[Authenticate local domain: ‘jabber.fbn-dd.de’ to remote domain: ‘chat.c3d2.de’] - Start domain authentication …

org.jivesoftware.openfire.session.LocalOutgoingServerSession[Authenticate local domain: ‘jabber.fbn-dd.de’ to remote domain: ‘chat.c3d2.de’] - Searching for pre-existing outgoing sessions to the remote domain (if oneexists, it will be re-used) …

org.jivesoftware.openfire.session.LocalOutgoingServerSession[Authenticate local domain: ‘jabber.fbn-dd.de’ to remote domain: ‘chat.c3d2.de’] - There are no pre-existing outgoing sessions to the remote domain itself. Searching for pre-existing outgoing sessions to super- or subdomains of the remote domain (if one exists, it might be re-usable) …

org.jivesoftware.openfire.session.LocalOutgoingServerSession[Authenticate local domain: ‘jabber.fbn-dd.de’ to remote domain: ‘chat.c3d2.de’] - There are no pre-existing session to other domains hosted on the remote domain.

org.jivesoftware.openfire.session.LocalOutgoingServerSession[Authenticate local domain: ‘jabber.fbn-dd.de’ to remote domain: ‘chat.c3d2.de’] - Unable to re-use an existing session. Creating a new session …

org.jivesoftware.openfire.session.LocalOutgoingServerSession[Create outgoing session for: jabber.fbn-dd.de to chat.c3d2.de] - Creating new session…

org.jivesoftware.openfire.session.LocalOutgoingServerSession[Create outgoing session for: jabber.fbn-dd.de to chat.c3d2.de] - Creating plain socket connection to a host that belongs to the remote XMPP domain.

org.jivesoftware.openfire.net.SocketUtil - Creating a socket connection to XMPP domain ‘chat.c3d2.de’ …

org.jivesoftware.openfire.net.SocketUtil - Use DNS to resolve remote hosts for the provided XMPP domain ‘chat.c3d2.de’ (default port: 5269) …

org.jivesoftware.openfire.net.SocketUtil - Found 1 host(s) for XMPP domain ‘chat.c3d2.de’.

org.jivesoftware.openfire.net.SocketUtil - Trying to create socket connection to XMPP domain ‘chat.c3d2.de’ using remote host: jabber.c3d2.de:5269 (blocks up to 120000 ms) …

org.jivesoftware.openfire.net.SocketUtil - Successfully created socket connection to XMPP domain ‘chat.c3d2.de’ using remote host: jabber.c3d2.de:5269!

org.jivesoftware.openfire.session.LocalOutgoingServerSession[Create outgoing session for: jabber.fbn-dd.de to chat.c3d2.de] - Send the stream header and wait for response…

org.jivesoftware.openfire.session.LocalOutgoingServerSession[Create outgoing session for: jabber.fbn-dd.de to chat.c3d2.de] - Got a response (stream ID: fc4e0570-be77-4285-9f01-77b83d05f549, version: 1.0). Check if the remote server is XMPP 1.0 compliant…

org.jivesoftware.openfire.session.LocalOutgoingServerSession[Create outgoing session for: jabber.fbn-dd.de to chat.c3d2.de] - The remote server is XMPP 1.0 compliant (or at least reports to be).

org.jivesoftware.openfire.session.LocalOutgoingServerSession[Create outgoing session for: jabber.fbn-dd.de to chat.c3d2.de] - Processing stream features of the remote domain…

org.jivesoftware.openfire.session.LocalOutgoingServerSession[Create outgoing session for: jabber.fbn-dd.de to chat.c3d2.de] - Check if both us as well as the remote server have enabled STARTTLS and/or dialback …

org.jivesoftware.openfire.session.LocalOutgoingServerSession[Create outgoing session for: jabber.fbn-dd.de to chat.c3d2.de] - Both us and the remote server support the STARTTLS feature. Secure and authenticate the connection with TLS & SASL…

org.jivesoftware.openfire.session.LocalOutgoingServerSession[Secure/Authenticate connection for: jabber.fbn-dd.de to: chat.c3d2.de] - Securing and authenticating connection …

org.jivesoftware.openfire.session.LocalOutgoingServerSession[Secure/Authenticate connection for: jabber.fbn-dd.de to: chat.c3d2.de] - Indicating we want TLS and wait for response.

org.jivesoftware.openfire.session.LocalOutgoingServerSession[Secure/Authenticate connection for: jabber.fbn-dd.de to: chat.c3d2.de] - Received ‘proceed’ from remote server. Negotiating TLS…

org.jivesoftware.openfire.keystore.OpenfireX509TrustManager - Constructed trust manager. Number of trusted issuers: 3, accepts self-signed: true, checks validity: true

org.jivesoftware.openfire.keystore.OpenfireX509TrustManager - Attempting to verify a chain of 2 certificates.

org.jivesoftware.openfire.keystore.OpenfireX509TrustManager - Validating chain with 2 certificates, using 3 trust anchors.

org.jivesoftware.openfire.session.LocalOutgoingServerSession[Secure/Authenticate connection for: jabber.fbn-dd.de to: chat.c3d2.de] - TLS negotiation was successful. Connection secured. Proceeding with authentication…

org.jivesoftware.util.CertificateManager - CertificateManager: Subject Alternative Name Mapping returned [chat.c3d2.de, jabber.c3d2.de]

org.jivesoftware.openfire.session.LocalOutgoingServerSession[Secure/Authenticate connection for: jabber.fbn-dd.de to: chat.c3d2.de] - TLS negotiation was successful so initiate a new stream.

org.jivesoftware.openfire.session.LocalOutgoingServerSession[Secure/Authenticate connection for: jabber.fbn-dd.de to: chat.c3d2.de] - Remote server is offering dialback: true, EXTERNAL SASL:

org.jivesoftware.openfire.session.LocalOutgoingServerSession[Secure/Authenticate connection for: jabber.fbn-dd.de to: chat.c3d2.de] - Trying to authenticate with EXTERNAL SASL.

org.jivesoftware.openfire.session.LocalOutgoingServerSession[EXTERNAL SASL for: jabber.fbn-dd.de to: chat.c3d2.de (Stream ID: fdf76b7a-9221-4ffd-9906-8220528a6a23)] - Starting EXTERNAL SASL.

org.jivesoftware.openfire.session.LocalOutgoingServerSession[EXTERNAL SASL for: jabber.fbn-dd.de to: chat.c3d2.de (Stream ID: fdf76b7a-9221-4ffd-9906-8220528a6a23)] - EXTERNAL SASL was successful.

org.jivesoftware.openfire.session.LocalOutgoingServerSession[Secure/Authenticate connection for: jabber.fbn-dd.de to: chat.c3d2.de] - Successfully authenticated with EXTERNAL SASL.

org.jivesoftware.openfire.session.LocalOutgoingServerSession[Secure/Authenticate connection for: jabber.fbn-dd.de to: chat.c3d2.de] - Successfully secured and authenticated connection!

org.jivesoftware.openfire.session.LocalOutgoingServerSession[Create outgoing session for: jabber.fbn-dd.de to chat.c3d2.de] - Successfully secured/authenticated the connection with TLS/SASL)!

org.jivesoftware.openfire.session.LocalOutgoingServerSession[Create outgoing session for: jabber.fbn-dd.de to chat.c3d2.de] - Successfully created new session!

org.jivesoftware.openfire.session.LocalOutgoingServerSession[Authenticate local domain: ‘jabber.fbn-dd.de’ to remote domain: ‘chat.c3d2.de’] - Created a new session.

org.jivesoftware.openfire.session.LocalOutgoingServerSession[Authenticate local domain: ‘jabber.fbn-dd.de’ to remote domain: ‘chat.c3d2.de’] - Authentication successful.

org.jivesoftware.openfire.net.BlockingAcceptingMode - Connect Socket[addr=/89.238.79.220,port=35924,localport=5269]

org.jivesoftware.openfire.keystore.OpenfireX509TrustManager - Constructed trust manager. Number of trusted issuers: 3, accepts self-signed: true, checks validity: true

org.jivesoftware.openfire.plugin.gojara.database.DatabaseManager - Cleaned statistic database. Affected rows: 0

org.logicalcobwebs.proxool.openfire - 003431 (01/03/00) - #2 registered a statement as closed which wasn’t known to be open. This could happen if you close a statement twice.

org.jivesoftware.openfire.keystore.OpenfireX509TrustManager - Attempting to verify a chain of 2 certificates.

org.jivesoftware.openfire.keystore.OpenfireX509TrustManager - Validating chain with 2 certificates, using 3 trust anchors.

org.jivesoftware.openfire.net.BlockingReadingMode - Connection closed before session establishedSocket[addr=/89.238.79.220,port=35924,localport=5269]

org.jivesoftware.openfire.net.BlockingAcceptingMode - Connect Socket[addr=/89.238.79.220,port=35928,localport=5269]

org.jivesoftware.openfire.keystore.OpenfireX509TrustManager - Constructed trust manager. Number of trusted issuers: 3, accepts self-signed: true, checks validity: true

org.jivesoftware.openfire.keystore.OpenfireX509TrustManager - Attempting to verify a chain of 2 certificates.

org.jivesoftware.openfire.keystore.OpenfireX509TrustManager - Validating chain with 2 certificates, using 3 trust anchors.

org.jivesoftware.openfire.net.BlockingReadingMode - Connection closed before session establishedSocket[addr=/89.238.79.220,port=35928,localport=5269]

Me and chat.c3d2.de are using Let’s Encrypt as CA, so certificate validation is fine, even authentication seems to be okay. But what went wrong after that?

I’ve tested nightly build 2017-02-24 too, because I’ve read about changes in external SASL auth, and the issue still exists.

Where to look or what to try next?

Thanks in advance

Buster