Hi,
I have 2 Openfires (4.6.2) in LAN and I would like to disabble TLS between those two to see every packets during an S2S connection ? How can do it ?
Because if I go in Server Settings > Server to Server > Plain-Text > Advanced > StartTLS policy > Disabled on both the connection is refused.
Thank you for your anwers
I come back to you.
So I have 2 Openfires lets say A and B, if I go for TLS Policy > Optionnal, there is no problem but when I put disable on both they cannot connect together …
Here are the logs:
WARN [Server SR - 197043319]: org.jivesoftware.openfire.net.SocketReadingMode - TLS requested by initiator when TLS was never offered by server. Closing connection : org.jivesoftware.openfire.net.SocketConnection@4ebc23c4 socket: Socket[addr=/IP,port=51223,localport=5269] session: LocalIncomingServerSession{address=A.example.com/9ykoj86m39, streamID=9ykoj86m39, status=-1 (closed), isSecure=false, isDetached=false, isUsingServerDialback=true, localDomain=A.example.com, defaultIdentity=B.example.com, validatedDomains={}}
WARN [pool-19-thread-2]: org.jivesoftware.openfire.server.ServerDialback[Acting as Originating Server: Create Outgoing Session from: A.example.com to RS at: B.example.com (port: 5269)] - Unable to create a new outgoing session
WARN [pool-19-thread-2]: org.jivesoftware.openfire.session.LocalOutgoingServerSession[Create outgoing session for: A.example.com to B.example.com] - Unable to create a new session: Dialback (as a fallback) failed.
WARN [pool-19-thread-2]: org.jivesoftware.openfire.session.LocalOutgoingServerSession[Authenticate local domain: 'A.example.com' to remote domain: 'B.example.com'] - Unable to authenticate: Fail to create new session.
When i watch the code I see this rule in org.jivesoftware.openfire.net.SocketReadingMode:
protected boolean negotiateTLS() {
if (socketReader.connection.getTlsPolicy() == Connection.TLSPolicy.disabled) {
// Set the not_authorized error
StreamError error = new StreamError(StreamError.Condition.not_authorized);
// Deliver stanza
socketReader.connection.deliverRawText(error.toXML());
// Close the underlying connection
socketReader.connection.close();
// Log a warning so that admins can track this case from the server side
Log.warn("TLS requested by initiator when TLS was never offered by server. " +
"Closing connection : " + socketReader.connection);
return false;
}
this is Openfire 4.6.2 but on the last version it is pretty the same
protected boolean negotiateTLS() {
if (socketReader.connection.getTlsPolicy() == Connection.TLSPolicy.disabled) {
// Send a not_authorized error and close the underlying connection
socketReader.connection.close(new StreamError(StreamError.Condition.not_authorized, "A request to negotiate TLS is denied, as TLS has been disabled by configuration."));
// Log a warning so that admins can track this case from the server side
Log.warn("TLS requested by initiator when TLS was never offered by server. Closing connection: {}", socketReader.connection);
return false;
}
I imagine that every connection in Openfire with TLS disable are block so it is not possible to do it without TLS ?
Thank you
This might be a bug in Openfire. The TLS Policy that is evaluated in this code is used as a boolean, but it is not: it is an enum value. This bug has been reported as OF-2551. A fix for this issue was merged in the source code 5 days ago. Does the latest nightly build still have the same problem?
I cloned just today the repo on github, compiled it and it is working perfectly ! Thank you guus !