powered by Jive Software

S2S SSL Connection failed

Hello,

I have recently installed two Openfire Servers (3.6.4 Windows) on two differents Active Directory domains with each one their CA.I have entered the FQDN of the server for the name of openfire server in the console.
I have taken the defaults selfs signed certificates generated during the installation and sign it with the CA of the domain. After that i have imported
the signed certificates in the console and on the certificates in certificates tab i can see a green checkbox and also the “ca signed” message.
I have registered the Certificates of the Two CA in the trustore and the client.trustore.

The connection between the two openfire servers works only when i configure “Server connection security” parameter (in security settings) to “optionnal” value. As soon i configured to the “required” value the connection failed
and i have the next entries in the debug logs :

(For confidendiality reason i have remplaced the hosts values by openfire,openfire2 and the domains names by A.B.C.D and E.F.G.H)

2010.05.25 12:11:06 LdapManager: Starting LDAP search…
2010.05.25 12:11:06 LdapManager: … search finished
2010.05.25 12:11:06 LdapManager: Creating a DirContext in LdapManager.getContext()…
2010.05.25 12:11:06 LdapManager: Created hashtable with context values, attempting to create context…
2010.05.25 12:11:06 LdapManager: … context created successfully, returning.
2010.05.25 12:12:12 ConnectionHandler:
java.io.IOException: An existing connection was forcibly closed by the remote host
at sun.nio.ch.SocketDispatcher.read0(Native Method)
at sun.nio.ch.SocketDispatcher.read(Unknown Source)
at sun.nio.ch.IOUtil.readIntoNativeBuffer(Unknown Source)
at sun.nio.ch.IOUtil.read(Unknown Source)
at sun.nio.ch.SocketChannelImpl.read(Unknown Source)
at org.apache.mina.transport.socket.nio.SocketIoProcessor.read(SocketIoProcessor.j ava:218)
at org.apache.mina.transport.socket.nio.SocketIoProcessor.process(SocketIoProcesso r.java:198)
at org.apache.mina.transport.socket.nio.SocketIoProcessor.access$400(SocketIoProce ssor.java:45)
at org.apache.mina.transport.socket.nio.SocketIoProcessor$Worker.run(SocketIoProce ssor.java:485)
at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:51)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
2010.05.25 12:12:12 LocalOutgoingServerSession: OS - Trying to connect to openfire2.E.F.G.H:5269(DNS lookup: openfire2.E.F.G.H:5269)
2010.05.25 12:12:12 LocalOutgoingServerSession: OS - Plain connection to openfire2.E.F.G.H:5269 successful
2010.05.25 12:12:12 LocalOutgoingServerSession: OS - Indicating we want TLS to openfire2.E.F.G.H
2010.05.25 12:12:12 LocalOutgoingServerSession: OS - Negotiating TLS with openfire2.E.F.G.H
2010.05.25 12:12:12 LocalOutgoingServerSession: OS - TLS negotiation with openfire2.E.F.G.H was successful
2010.05.25 12:12:12 LocalOutgoingServerSession: OS - Stream compression was successful with openfire2.E.F.G.H
2010.05.25 12:12:12 LocalOutgoingServerSession: OS - Error, EXTERNAL SASL and SERVER DIALBACK were not offered by openfire2.E.F.G.H
2010.05.25 12:12:12 LocalOutgoingServerSession: OS - Trying to connect to E.F.G.H:5269(DNS lookup: openfire2.E.F.G.H:5269)
2010.05.25 12:12:12 LocalOutgoingServerSession: OS - Plain connection to E.F.G.H:5269 successful
2010.05.25 12:12:18 NIOConnection: startTLS: using c2s
2010.05.25 12:12:20 LdapManager: Trying to find a user’s DN based on their username. sAMAccountName: administrator, Base DN: DC=“A”,DC=“B”,DC=“C”,DC=“D”…
2010.05.25 12:12:20 LdapManager: Creating a DirContext in LdapManager.getContext()…
2010.05.25 12:12:20 LdapManager: Created hashtable with context values, attempting to create context…
2010.05.25 12:12:20 LdapManager: … context created successfully, returning.
2010.05.25 12:12:20 LdapManager: Starting LDAP search…
2010.05.25 12:12:20 LdapManager: … search finished
2010.05.25 12:12:20 LdapManager: In LdapManager.checkAuthentication(userDN, password), userDN is: CN=“Administrator”,CN=“Users”…
2010.05.25 12:12:20 LdapManager: Created context values, attempting to create context…
2010.05.25 12:12:20 LdapManager: … context created successfully, returning.
2010.05.25 12:12:42 LocalOutgoingServerSession: OS - Trying to connect to E.F.G.H:5269(DNS lookup: E.F.G.H:5269)
2010.05.25 12:13:24 LocalOutgoingServerSession: OS - Trying to connect to G.H:5269(DNS lookup: G.H:5269)
2010.05.25 12:13:39 OutgoingSessionPromise: Error sending packet to remote server:

java.lang.Exception: Failed to create connection to remote server
at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.sendPa cket(OutgoingSessionPromise.java:252)
at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.run(Ou tgoingSessionPromise.java:216)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
2010.05.25 12:13:39 OutgoingSessionPromise: Error sending packet to remote server (fast discard):

Is there Someone can help me please ?

Thanks.

If that can help, Little precision :

The next entry is present in Warning logs :

closing session due to incorrect hostname in stream header Host : A.B.C.D connection: org.jivesoftware.socketconnection@18ec029Socket [addr= X.X.X.X port= X, localport = X} Session : null

Nobody have an idea ?

Zeff,

Looks like I am having the same problem as you. From reading all the documentation it looks like SASL External should be added as an authentication mechanism.

I am not sure where this needs to be added. and what other things are required.

Background on my problem:

I have 2 open fire servers (server 1 and Server 2) which have certificates from a trusted CA installed. (StartSSL.com) , the client to server connections are encrypted but even though I set the s2s properties as “REquired” , it is not ending up with a TLS connection.

So looks like we need to do some configuration but I am not sure what it is…yet…

Thanks

Nagesh

Hello Nagesh,

Concerning the SASL External i have tried to enable it by adding in the system properties (in the console) a line with sasl.mechs as name and EXTERNAL as attribute but that didn’t change anything to the problem.

Did you have news ?

Thanks.

Zeff

Zeff,

Look at that thread , it has more details and everything that I have tried.

Thanks

Nagesh