powered by Jive Software

S2s with TLS and SANs (Subject Alternative Name)


I am trying to federate our Openfire server (3.8.1 on Debian Squeeze installed via tarball) with a client’s MS Lynx XMPP gateway. Originally I wasn’t trusting their cert but after installing their trust chain into my truststore this error went away:

2013.04.03 20:41:03 org.jivesoftware.openfire.session.LocalOutgoingServerSession - LocalOutgoingServerSession: Handshake error while creating secured outgoing session to remote server: REMOTECOMPANY.com(DNS lookup: xmpp.REMOTECOMPANY.com:5269)

javax.net.ssl.SSLHandshakeException: General SSLEngine problem

Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

Caused by: java.security.cert.CertificateException: Root certificate (subject: CN=The Remote Company Root CA, OU=TRC-PKI, DC=remotecompany, DC=com) of [XMPP01.CORP.REMOTECOMPANY.COM] not trusted.

Now that I trust the cert I get the following similar error:

Caused by: java.security.cert.CertificateException: target verification failed of [XMPP01.CORP.REMOTECOMPANY.COM]

Also in the debug log when it dumps their cert information it shows the CN in the cert is XMPP01.CORP.REMOTECOMPANY.COM and it has a SAN of XMPP.REMOTECOMPANY.COM. Is it possible Openfire is only looking at the CN and is getting a name mismatch because the valid hostname is a SAN? Their SRV record points to XMPP.REMOTECOMPANY.COM:5269.

I already federate with gmail/gapps, but this is the first TLS required federation I am doing. Let me know what other info/debugging I can provide. Thanks!

Our setup requires TLS to be working. I had the same issue with older versions as well as 3.8.1 version of Openfire. After some troubleshooting, we found that the certificate (of the server that wants to connect to the Openfire 3.8.1 server) had to be issued to the XMPP domain. It cannot be in the Subject Alt Name field. We have a certificate issued in the following manner:

Cert Issued to: myjabberdomain.com

Subject Alt Names:

DNSname: search.myjabberdomain.com

DNSname: conference.myjabberdomain.com

We were then able to get TLS working both ways.

Let me know if that helps you out.