I am trying to federate our Openfire server (3.8.1 on Debian Squeeze installed via tarball) with a client’s MS Lynx XMPP gateway. Originally I wasn’t trusting their cert but after installing their trust chain into my truststore this error went away:
2013.04.03 20:41:03 org.jivesoftware.openfire.session.LocalOutgoingServerSession - LocalOutgoingServerSession: Handshake error while creating secured outgoing session to remote server: REMOTECOMPANY.com(DNS lookup: xmpp.REMOTECOMPANY.com:5269)
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
Caused by: java.security.cert.CertificateException: Root certificate (subject: CN=The Remote Company Root CA, OU=TRC-PKI, DC=remotecompany, DC=com) of [XMPP01.CORP.REMOTECOMPANY.COM] not trusted.
Now that I trust the cert I get the following similar error:
Caused by: java.security.cert.CertificateException: target verification failed of [XMPP01.CORP.REMOTECOMPANY.COM]
Also in the debug log when it dumps their cert information it shows the CN in the cert is XMPP01.CORP.REMOTECOMPANY.COM and it has a SAN of XMPP.REMOTECOMPANY.COM. Is it possible Openfire is only looking at the CN and is getting a name mismatch because the valid hostname is a SAN? Their SRV record points to XMPP.REMOTECOMPANY.COM:5269.
I already federate with gmail/gapps, but this is the first TLS required federation I am doing. Let me know what other info/debugging I can provide. Thanks!