Hello,
I’m trying to emulate an s2s connection between Openfire 4.9.2 and a third party program, a NiFi processor, by re-creating the dialback handshake. I’ve managed to get up to where the Authoritative server sends the ‘valid’ signal for the dialback key back to Openfire to finally authenticate the connection, however right after Openfire logs it received the ‘valid’ signal from the AS, it reports “Unable to verify key: An error occurred.”
Everything closes from there.
A shortened recap of what I saw in the openfire logs follows:
- Openfire receives stream details from Originating Server
2025.02.14 09:47:26.129 TRACE [socket_s2s-thread-2]: NettyConnectionHandler - Handler on /127.0.0.1:5273--/127.0.0.1:54906 received: <?xml version='1.0'?>
2025.02.14 09:47:26.129 TRACE [socket_s2s-thread-2]: NettyConnectionHandler - Handler on /127.0.0.1:5273--/127.0.0.1:54906 received: <stream:stream xmlns='jabber:server' from='nifidomain' to='emulatetest' version='1.0'>
2025.02.14 09:47:26.131 DEBUG [socket_s2s-thread-2]: LocalIncomingServerSession - Creating new session with stream ID '3mp7k58hsn' for 'emulatetest' to peer 'nifidomain'.
- Openfire offered TSL & SASL, but we picked dialback. Then, OS sends dialback key:
2025.02.14 09:47:26.217 TRACE [socket_s2s-thread-2]: NettyConnectionHandler - Received: <db:result from="nifidomain" to="emulatetest">81e10af618e90ed948bf7548dcce183f</db:result>
2025.02.14 09:47:26.227 DEBUG [socket_s2s-thread-2]: ServerDialback - Validating domain: emulatetest (id 3mp7k58hsn) for OS: nifidomain.
- Openfire does a DNS lookup to contact the AS. I only have /etc/hosts on my machine configured to route ‘nifidomain’ to localhost:5269 where my AS is listening. The lookup fails:
2025.02.14 09:47:26.229 TRACE [socket_s2s-thread-2]: DNSUtil - DNS SRV Lookup for '_xmpp-server._tcp.nifidomain'
2025.02.14 09:47:26.247 DEBUG [socket_s2s-thread-2]: DNSUtil - No SRV record found for '_xmpp-server._tcp.nifidomain.'
javax.naming.NameNotFoundException: DNS name not found [response code 3]
- But then it successfully contacts the AS locally:
2025.02.14 09:47:26.271 DEBUG [socket_s2s-thread-2]: SocketUtil - Successfully created socket connection to XMPP domain 'nifidomain'!
2025.02.14 09:47:26.271 DEBUG [socket_s2s-thread-2]: ServerDialback - Verifying dialback key...
2025.02.14 09:47:26.286 DEBUG [socket_s2s-thread-2]: ServerDialback - Send the Authoritative Server a stream header and wait for answer.
- AS sends the ‘valid’ signal for the dialback key, then Openfire reports an error
2025.02.14 09:47:29.405 DEBUG [socket_s2s-thread-2]: ServerDialback - db:verify answer was: <verify from="nifidomain" to="emulatetest" type="valid">81e10af618e90ed948bf7548dcce183f</verify>
2025.02.14 09:47:29.405 DEBUG [socket_s2s-thread-2]: ServerDialback - Unable to verify key: An error occurred.
2025.02.14 09:47:29.406 DEBUG [socket_s2s-thread-2]: LocalIncomingServerSession - Unable to validate domain 'nifidomain': Key verification did not complete (timeout or error).
I’m not sure if failing DNS check, even though the handshake goes through to the very end can cause issues, but I assumed it was fine up until now because my AS and Openfire were talking. Online, I’ve also seen that Openfire is strict with how the keys and domains within the xml stream are formatted, but beyond double checking that the ‘from’ and ‘to’ fields were correct, I had no other debugging ideas. Maybe there is something I am misunderstanding with the dialback key.
Alternatively, is there a way to enable a more detailed error message other than just “Unable to verify key: an error occurred”?
If anyone has tried connecting to Openfire using an s2s connection from a non Openfire program, any help would be appreciated.