S2S Plain-Text Connection

Hi,

I have 2 Openfires (4.6.2) in LAN and I would like to disabble TLS between those two to see every packets during an S2S connection ? How can do it ?
Because if I go in Server Settings > Server to Server > Plain-Text > Advanced > StartTLS policy > Disabled on both the connection is refused.

Thank you for your anwers

I come back to you.

So I have 2 Openfires lets say A and B, if I go for TLS Policy > Optionnal, there is no problem but when I put disable on both they cannot connect together …

Here are the logs:

WARN [Server SR - 197043319]: org.jivesoftware.openfire.net.SocketReadingMode - TLS requested by initiator when TLS was never offered by server. Closing connection : org.jivesoftware.openfire.net.SocketConnection@4ebc23c4 socket: Socket[addr=/IP,port=51223,localport=5269] session: LocalIncomingServerSession{address=A.example.com/9ykoj86m39, streamID=9ykoj86m39, status=-1 (closed), isSecure=false, isDetached=false, isUsingServerDialback=true, localDomain=A.example.com, defaultIdentity=B.example.com, validatedDomains={}}

WARN [pool-19-thread-2]: org.jivesoftware.openfire.server.ServerDialback[Acting as Originating Server: Create Outgoing Session from: A.example.com to RS at: B.example.com (port: 5269)] - Unable to create a new outgoing session

WARN [pool-19-thread-2]: org.jivesoftware.openfire.session.LocalOutgoingServerSession[Create outgoing session for: A.example.com to B.example.com] - Unable to create a new session: Dialback (as a fallback) failed.

WARN [pool-19-thread-2]: org.jivesoftware.openfire.session.LocalOutgoingServerSession[Authenticate local domain: 'A.example.com' to remote domain: 'B.example.com'] - Unable to authenticate: Fail to create new session. 

When i watch the code I see this rule in org.jivesoftware.openfire.net.SocketReadingMode:

protected boolean negotiateTLS() {
        if (socketReader.connection.getTlsPolicy() == Connection.TLSPolicy.disabled) {
            // Set the not_authorized error
            StreamError error = new StreamError(StreamError.Condition.not_authorized);
            // Deliver stanza
            socketReader.connection.deliverRawText(error.toXML());
            // Close the underlying connection
            socketReader.connection.close();
            // Log a warning so that admins can track this case from the server side
            Log.warn("TLS requested by initiator when TLS was never offered by server. " +
                "Closing connection : " + socketReader.connection);
            return false;
        }

this is Openfire 4.6.2 but on the last version it is pretty the same

 protected boolean negotiateTLS() {
        if (socketReader.connection.getTlsPolicy() == Connection.TLSPolicy.disabled) {
            // Send a not_authorized error and close the underlying connection
            socketReader.connection.close(new StreamError(StreamError.Condition.not_authorized, "A request to negotiate TLS is denied, as TLS has been disabled by configuration."));
            // Log a warning so that admins can track this case from the server side
            Log.warn("TLS requested by initiator when TLS was never offered by server. Closing connection: {}", socketReader.connection);
            return false;
        }

I imagine that every connection in Openfire with TLS disable are block so it is not possible to do it without TLS ?

Thank you

This might be a bug in Openfire. The TLS Policy that is evaluated in this code is used as a boolean, but it is not: it is an enum value. This bug has been reported as OF-2551. A fix for this issue was merged in the source code 5 days ago. Does the latest nightly build still have the same problem?

I cloned just today the repo on github, compiled it and it is working perfectly ! Thank you guus !

1 Like