S2S Issue

Openfire Openfire Support
1

I am trying to get s2s working with another site within our orgainization (we dont allow any other s2s traffic) and its not working. From an account on my server, when I attempt to send a message to an account on the other server, this error shows up in the error log:

2006.08.10 09:52:38 [org.jivesoftware.wildfire.server.OutgoingServerSession.createOutgoingSession(OutgoingServerSession.java:259)] Error trying to connect to remote server: example.com(DNS lookup: example.com:5269)

java.net.UnknownHostException: example.com

at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:177)

at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:366)

at java.net.Socket.connect(Socket.java:516)

at org.jivesoftware.wildfire.server.OutgoingServerSession.createOutgoingSession(OutgoingServerSession.java:254)

at org.jivesoftware.wildfire.server.OutgoingServerSession.authenticateDomain(OutgoingServerSession.java:183)

at org.jivesoftware.wildfire.server.OutgoingSessionPromise.createSessionAndSendPacket(OutgoingSessionPromise.java:130)

at org.jivesoftware.wildfire.server.OutgoingSessionPromise.access$300(OutgoingSessionPromise.java:40)

at org.jivesoftware.wildfire.server.OutgoingSessionPromise$1$1.run(OutgoingSessionPromise.java:95)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:679)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:704)

at java.lang.Thread.run(Thread.java:619)

(Note, I changed the real domain to example.com) The funny thing is, the domain on the remote server is jabber.example.com, and Im trying to send a message to user@jabber.example.com. I checked DNS, and jabber.example.com is a CNAME for server.example.com, which is an A record for the host. I was a bit confused by this. So I turn on debugging, and get this in the debug log:

2006.08.10 09:59:05 OS - Trying to connect to jabber.example.com:5269(DNS lookup: jabber.example.com:5269)

2006.08.10 09:59:05 OS - Plain connection to jabber.example.com:5269 successful

2006.08.10 09:59:05 OS - Indicating we want TLS to jabber.example.com

2006.08.10 09:59:05 OS - Negotiating TLS with jabber.example.com

2006.08.10 09:59:05 Handshake error while creating secured outgoing session to remote server: jabber.example.com(DNS lookup: jabber.example.com:5269)

javax.net.ssl.SSLHandshakeException: General SSLEngine problem

at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:929)

at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:463)

at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1062)

at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1034)

at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:452)

at org.jivesoftware.wildfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.java:329)

at org.jivesoftware.wildfire.net.TLSStreamHandler.start(TLSStreamHandler.java:223)

at org.jivesoftware.wildfire.net.SocketConnection.startTLS(SocketConnection.java:173)

at org.jivesoftware.wildfire.server.OutgoingServerSession.secureAndAuthenticate(OutgoingServerSession.java:367)

at org.jivesoftware.wildfire.server.OutgoingServerSession.createOutgoingSession(OutgoingServerSession.java:303)

at org.jivesoftware.wildfire.server.OutgoingServerSession.authenticateDomain(OutgoingServerSession.java:140)

at org.jivesoftware.wildfire.server.OutgoingSessionPromise.createSessionAndSendPacket(OutgoingSessionPromise.java:130)

at org.jivesoftware.wildfire.server.OutgoingSessionPromise.access$300(OutgoingSessionPromise.java:40)

at org.jivesoftware.wildfire.server.OutgoingSessionPromise$1$1.run(OutgoingSessionPromise.java:95)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:679)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:704)

at java.lang.Thread.run(Thread.java:619)

Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)

at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1421)

at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:184)

at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:176)

at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:975)

at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:123)

at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:511)

at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:453)

at java.security.AccessController.doPrivileged(Native Method)

at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.java:867)

at org.jivesoftware.wildfire.net.TLSStreamHandler.doTasks(TLSStreamHandler.java:380)

at org.jivesoftware.wildfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.java:290)

... 11 more

Caused by: java.security.cert.CertificateException: target verification failed of [http://server.example.com, OU=OSD, OU=PKI, OU=REDACTED, O=REDACTED, C=US]

at org.jivesoftware.wildfire.net.ServerTrustManager.checkServerTrusted(ServerTrustManager.java:149)

at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:967)

... 18 more

2006.08.10 09:59:05 OS - Trying to connect to example.com:5269(DNS lookup: example.com:5269)

2006.08.10 09:59:05 Error sending packet to remote server:

<message type="chat" to="user@jabber.example.com" from="user@jabber.mydomain.com/Spark">

<x xmlns="jabber:x:event">

<composing/>

</x>

<body>test</body>

<html xmlns="http://jabber.org/protocol/xhtml-im">

<body xmlns="http://www.w3.org/1999/xhtml">test</body>

</html>

</message>

java.lang.Exception: Failed to create connection to remote server

at org.jivesoftware.wildfire.server.OutgoingSessionPromise.createSessionAndSendPacket(OutgoingSessionPromise.java:143)

at org.jivesoftware.wildfire.server.OutgoingSessionPromise.access$300(OutgoingSessionPromise.java:40)

at org.jivesoftware.wildfire.server.OutgoingSessionPromise$1$1.run(OutgoingSessionPromise.java:95)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:679)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:704)

at java.lang.Thread.run(Thread.java:619)

So the first and most obvious thing here is that there is no error message except with debugging that the s2s failed, or even why. With debugging, I can see that its some TLS error, but “Generl SSLEngine problem” isnt much help either. Both servers have certificates, and both are signed by an outside authority, but not any public CA that would have been distributed with Wildfire ahead of time.

So, whats going on here? How do I make this work without compromising on security?

2

Just an update on this thread that was discussed by IM.

  1. It was recommended to use the latest nightly build that includes a bug fix for JM-789.

  2. The certificate of the remote server needs to match to the server name being used by Wildfire. So if the remote server name is example.com then the remote server’'s certificate needs to have example.com in the subjectAltName field and in the CN field.

– Gato