S2S problem with Prosody

Zash · May 5, 2014, 9:08am

Attempting to send a ping from a Prosody server to an Openfire fails. Openfire closes the outgoing connection after it has been established, before it can be used to route stanzas. Debug log excerpt attached.
openfire.debug.zip (936 Bytes)

akrherz · May 5, 2014, 3:50pm

I assume you are using Openfire 3.9.2 and this worked previously?

Zash · May 5, 2014, 4:44pm

Yes, this is with Openfire 3.9.2. Disclosure: I work on Prosody. I discovered this by having a prosody server send a ping to igniterealtime.org, which never got back to me, so I tried to reproduce with a local Openfire server.

akrherz · May 5, 2014, 4:47pm

I have raised OF-787 on this, something is not right with s2s and the most recent release.

Zash · May 5, 2014, 5:38pm

I should point out that I tested with both “real” certs and self-signed certs and there wasn’t much difference.

BigD · May 5, 2014, 8:43pm

Hi Zash,

could it be that your server-hostname is not your jabber-domain? For example: myjid@example.org but the jabber-servers domain is jabber.example.org.

If it is different and the hostname is picked by DNS-record I’ve an idea how this could happen.

Thanks,

Sven

akrherz · May 5, 2014, 8:45pm

BigD,

ignite’s openfire is reproducing this issue and its running 1.7.0-55 Oracle. I tried reverting OF-745, but that did not appear to make a change.

daryl

CSH · May 5, 2014, 8:56pm

The most suspicious commit between 3.9.1 and 3.9.2 is this:

https://github.com/igniterealtime/Openfire/commit/996825d267a01e6ed9b7678fff2304 0d4e7caacb

Does anybody think, this is related to the problem?

akrherz · May 5, 2014, 9:01pm

igniterealtime’s openfire is currently running with that patch reverted, but it does not appear to help any.

akrherz · May 5, 2014, 9:14pm

Current screenshot from igniterealtime’s console, anything secure (TLS) is incoming only. This is with the OF-745 patch reverted.

CSH · May 5, 2014, 9:18pm

Maybe is it the bouncycastle upgrade?

https://github.com/igniterealtime/Openfire/commit/58c816b98daed7004c46e34166a78f 39c8d27fbc

BigD · May 5, 2014, 9:28pm

Yes, that was the fix: the remote-server doesn’t offer any authentication mechanism so OF used plain-text dialback. With the patch it tries SSL-Dialback. But if the remote server offers SASL without and with the patch SASL is used.

akrherz · May 6, 2014, 1:32am

I am fairly confident the problem was introduced with OF-2 , I reverted that patch and uploaded a custom build to igniterealtime. s2s looks reasonable now with many secured connections.