powered by Jive Software

S2S not working with policy "required" on Java11

Hi!

After update OS(Debian 10) ans Openfire(4.4.4) S2S broken. We make some tests with different version OSes and Openfire:

  1. Debian 10 (Java11) + Openfire 4.4.4 - NOT WORK (any STARTTLS policy option)
  2. Debian 10 (Java11) + Openfire 4.5.0Beta - NOT WORK with STARTTLS policy REQUIRED, with other - OK
  3. Debian 9 (Java8) + Openfire 4.4.4 - WORK (any STARTTLS policy option)

Installations…

Debian:

  • Install OS
  • apt install default-jre
  • dpkg -i openfireXXX.deb

Openfire:

  • internal auth, internal database

I cannot immediately reproduce this on my environment (which is running 4.5.0 Alpha, using Java 8 on Amazon Linux 2). Can you please provide debug logging?

With Java8 everything OK, as I wrote ))). Problem only with Java11, which default environment in LTS version Debian 10/Ubuntu 18.04.

We setup clear install on Debian10 with Java11:
Server #1:
Server1
Server #2:
Server2
Server to server settings:

Trying to test server to server connectiion:

Sending server to server ping request to t2.gard.ru
Start domain authentication ...
Searching for pre-existing outgoing sessions to the remote domain (if one exists, it will be re-used) ...
There are no pre-existing outgoing sessions to the remote domain itself. Searching for pre-existing outgoing sessions to super- or subdomains of the remote domain (if one exists, it might be re-usable) ...
There are no pre-existing session to other domains hosted on the remote domain.
Unable to re-use an existing session. Creating a new session ...
Creating new session...
Creating plain socket connection to a host that belongs to the remote XMPP domain.
Creating a socket connection to XMPP domain 't2.gard.ru' ...
Use DNS to resolve remote hosts for the provided XMPP domain 't2.gard.ru' (default port: 5269) ...
No SRV record found for: _xmpps-server._tcp.t2.gard.ru.
javax.naming.NameNotFoundException: DNS name not found [response code 3]
                at com.sun.jndi.dns.DnsClient.checkResponseCode(DnsClient.java:661) ~[jdk.naming.dns:?]
                at com.sun.jndi.dns.DnsClient.isMatchResponse(DnsClient.java:579) ~[jdk.naming.dns:?]
                at com.sun.jndi.dns.DnsClient.doUdpQuery(DnsClient.java:427) ~[jdk.naming.dns:?]
                at com.sun.jndi.dns.DnsClient.query(DnsClient.java:212) ~[jdk.naming.dns:?]
                at com.sun.jndi.dns.Resolver.query(Resolver.java:81) ~[jdk.naming.dns:?]
                at com.sun.jndi.dns.DnsContext.c_getAttributes(DnsContext.java:434) ~[jdk.naming.dns:?]
                at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContext.java:235) ~[?:?]
                at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:141) ~[?:?]
                at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:129) ~[?:?]
                at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:142) ~[?:?]
                at org.jivesoftware.openfire.net.DNSUtil.srvLookup(DNSUtil.java:222) [xmppserver-4.5.0-beta.jar:4.5.0-beta]
                at org.jivesoftware.openfire.net.DNSUtil.resolveXMPPDomain(DNSUtil.java:111) [xmppserver-4.5.0-beta.jar:4.5.0-beta]
                at org.jivesoftware.openfire.net.SocketUtil.createSocketToXmppDomain(SocketUtil.java:45) [xmppserver-4.5.0-beta.jar:4.5.0-beta]
                at org.jivesoftware.openfire.session.LocalOutgoingServerSession.createOutgoingSession(LocalOutgoingServerSession.java:250) [xmppserver-4.5.0-beta.jar:4.5.0-beta]
                at org.jivesoftware.openfire.session.LocalOutgoingServerSession.authenticateDomain(LocalOutgoingServerSession.java:209) [xmppserver-4.5.0-beta.jar:4.5.0-beta]
                at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.sendPacket(OutgoingSessionPromise.java:261) [xmppserver-4.5.0-beta.jar:4.5.0-beta]
                at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.run(OutgoingSessionPromise.java:239) [xmppserver-4.5.0-beta.jar:4.5.0-beta]
                at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
                at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
                at java.lang.Thread.run(Thread.java:834) [?:?]
Found 1 host(s) for XMPP domain 't2.gard.ru'.
- j2.t2.gard.ru:5269 (no direct TLS)
Trying to create socket connection to XMPP domain 't2.gard.ru' using remote host: j2.t2.gard.ru:5269 (blocks up to 120000 ms) ...
Successfully created socket connection to XMPP domain 't2.gard.ru' using remote host: j2.t2.gard.ru:5269!
Opening a new connection to j2.t2.gard.ru/10.0.4.101:5269 that is initially not encrypted.
Send the stream header and wait for response...
Got a response (stream ID: 3pbaav11x7, version: 1.0). Check if the remote server is XMPP 1.0 compliant...
The remote server is XMPP 1.0 compliant (or at least reports to be).
Processing stream features of the remote domain...
Check if both us as well as the remote server have enabled STARTTLS and/or dialback ...
Both us and the remote server support the STARTTLS feature. Secure and authenticate the connection with TLS & SASL...
Securing and authenticating connection ...
Indicating we want TLS and wait for response.
Received 'proceed' from remote server. Negotiating TLS...
Configured TrustManager class: org.jivesoftware.openfire.keystore.OpenfireX509TrustManager
Attempting to instantiate 'class org.jivesoftware.openfire.keystore.OpenfireX509TrustManager' using the three-argument constructor that is properietary to Openfire.
Constructed trust manager. Number of trusted issuers: 148, accepts self-signed: true, checks validity: true
Successfully instantiated 'class org.jivesoftware.openfire.keystore.OpenfireX509TrustManager'.
Attempting to verify a chain of 1 certificates.
Attempting to accept the self-signed certificate of this chain of length one, as instructed by configuration.
Chain of one appears to be self-signed. Adding it to the set of trusted issuers.
Validating chain with 1 certificates, using 142 trust anchors.
TLS negotiation was successful. Connection secured. Proceeding with authentication...
SASL authentication failed. Will continue with dialback.
TLS negotiation was successful so initiate a new stream.
An exception occurred while creating an encrypted session. Closing connection.
java.io.EOFException: input contained no data
                at org.xmlpull.mxp1.MXParser.fillBuf(MXParser.java:3003) ~[xpp3-1.1.4c.jar:?]
                at org.xmlpull.mxp1.MXParser.more(MXParser.java:3046) ~[xpp3-1.1.4c.jar:?]
                at org.jivesoftware.openfire.net.MXParser.more(MXParser.java:372) ~[xmppserver-4.5.0-beta.jar:4.5.0-beta]
                at org.xmlpull.mxp1.MXParser.parseProlog(MXParser.java:1410) ~[xpp3-1.1.4c.jar:?]
                at org.jivesoftware.openfire.net.MXParser.nextImpl(MXParser.java:337) ~[xmppserver-4.5.0-beta.jar:4.5.0-beta]
                at org.xmlpull.mxp1.MXParser.next(MXParser.java:1093) ~[xpp3-1.1.4c.jar:?]
                at org.jivesoftware.openfire.session.LocalOutgoingServerSession.secureAndAuthenticate(LocalOutgoingServerSession.java:481) ~[xmppserver-4.5.0-beta.jar:4.5.0-beta]
                at org.jivesoftware.openfire.session.LocalOutgoingServerSession.createOutgoingSession(LocalOutgoingServerSession.java:348) [xmppserver-4.5.0-beta.jar:4.5.0-beta]
                at org.jivesoftware.openfire.session.LocalOutgoingServerSession.authenticateDomain(LocalOutgoingServerSession.java:209) [xmppserver-4.5.0-beta.jar:4.5.0-beta]
                at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.sendPacket(OutgoingSessionPromise.java:261) [xmppserver-4.5.0-beta.jar:4.5.0-beta]
                at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.run(OutgoingSessionPromise.java:239) [xmppserver-4.5.0-beta.jar:4.5.0-beta]
                at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
                at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
                at java.lang.Thread.run(Thread.java:834) [?:?]
Unable to create a new session. Going to try connecting using server dialback as a fallback.
Creating new outgoing session...
Creating a socket connection to XMPP domain 't2.gard.ru' ...
Use DNS to resolve remote hosts for the provided XMPP domain 't2.gard.ru' (default port: 5269) ...
No SRV record found for: _xmpps-server._tcp.t2.gard.ru.
javax.naming.NameNotFoundException: DNS name not found [response code 3]
                at com.sun.jndi.dns.DnsClient.checkResponseCode(DnsClient.java:661) ~[jdk.naming.dns:?]
                at com.sun.jndi.dns.DnsClient.isMatchResponse(DnsClient.java:579) ~[jdk.naming.dns:?]
                at com.sun.jndi.dns.DnsClient.doUdpQuery(DnsClient.java:427) ~[jdk.naming.dns:?]
                at com.sun.jndi.dns.DnsClient.query(DnsClient.java:212) ~[jdk.naming.dns:?]
                at com.sun.jndi.dns.Resolver.query(Resolver.java:81) ~[jdk.naming.dns:?]
                at com.sun.jndi.dns.DnsContext.c_getAttributes(DnsContext.java:434) ~[jdk.naming.dns:?]
                at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContext.java:235) ~[?:?]
                at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:141) ~[?:?]
                at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:129) ~[?:?]
                at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:142) ~[?:?]
                at org.jivesoftware.openfire.net.DNSUtil.srvLookup(DNSUtil.java:222) [xmppserver-4.5.0-beta.jar:4.5.0-beta]
                at org.jivesoftware.openfire.net.DNSUtil.resolveXMPPDomain(DNSUtil.java:111) [xmppserver-4.5.0-beta.jar:4.5.0-beta]
                at org.jivesoftware.openfire.net.SocketUtil.createSocketToXmppDomain(SocketUtil.java:45) [xmppserver-4.5.0-beta.jar:4.5.0-beta]
                at org.jivesoftware.openfire.server.ServerDialback.createOutgoingSession(ServerDialback.java:209) [xmppserver-4.5.0-beta.jar:4.5.0-beta]
                at org.jivesoftware.openfire.session.LocalOutgoingServerSession.createOutgoingSession(LocalOutgoingServerSession.java:425) [xmppserver-4.5.0-beta.jar:4.5.0-beta]
                at org.jivesoftware.openfire.session.LocalOutgoingServerSession.authenticateDomain(LocalOutgoingServerSession.java:209) [xmppserver-4.5.0-beta.jar:4.5.0-beta]
                at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.sendPacket(OutgoingSessionPromise.java:261) [xmppserver-4.5.0-beta.jar:4.5.0-beta]
                at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.run(OutgoingSessionPromise.java:239) [xmppserver-4.5.0-beta.jar:4.5.0-beta]
                at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128) [?:?]
                at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628) [?:?]
                at java.lang.Thread.run(Thread.java:834) [?:?]
Found 1 host(s) for XMPP domain 't2.gard.ru'.
- j2.t2.gard.ru:5269 (no direct TLS)
Trying to create socket connection to XMPP domain 't2.gard.ru' using remote host: j2.t2.gard.ru:5269 (blocks up to 120000 ms) ...
Successfully created socket connection to XMPP domain 't2.gard.ru' using remote host: j2.t2.gard.ru:5269!
Send the stream header and wait for response...
Got a response. Check if the remote server supports dialback...
Dialback seems to be supported by the remote server.
Authenticating domain ...
Sending dialback key and wait for the validation response...
Ignoring unexpected answer while waiting for dialback validation: <stream:error xmlns:stream="http://etherx.jabber.org/streams"><policy-violation xmlns="urn:ietf:params:xml:ns:xmpp-streams"></policy-violation></stream:error>
Failed to establish server to server session.