SASL Authentication Problem S2S

Openfire
1

Hi,

I am trying to implement an openfire on 2 distant server in order to use S2S connection.

I am using 4.6.7 on openfire with the JRE embedded.

Currently my DNS is good, well i think it is. I use only sel signed certificates and my firewall is open for 5269 port.

I have 2 servers with only Plainconnection activated on 5269.

I tried a lot of combination between my 2 servers but no one working actually.

I also have a INMARSAT connexion between my Servers, i don’t know if its relevant.

Here is my logs

> Sending server to server ping request to openfire.xxxxx.fr
> 
> Start domain authentication ...
> 
> Searching for pre-existing outgoing sessions to the remote domain (if one exists, it will be re-used) ...
> 
> There are no pre-existing outgoing sessions to the remote domain itself. Searching for pre-existing outgoing sessions to super- or subdomains of the remote domain (if one exists, it might be re-usable) ...
> 
> There are no pre-existing session to other domains hosted on the remote domain.
> 
> Unable to re-use an existing session. Creating a new session ...
> 
> Creating new session...
> 
> Creating plain socket connection to a host that belongs to the remote XMPP domain.
> 
> Creating a socket connection to XMPP domain 'openfire.xxxxx.fr' ...
> 
> Use DNS to resolve remote hosts for the provided XMPP domain 'openfire.xxxxxx.fr' (default port: 5269) ...
> 
> No SRV record found for '_xmpps-server._tcp.openfire.xxxxx.fr.'
> 
> javax.naming.NameNotFoundException: DNS name not found [response code 3]
> 
> at com.sun.jndi.dns.DnsClient.checkResponseCode(DnsClient.java:660) ~[?:1.8.0_271]
> 
> at com.sun.jndi.dns.DnsClient.isMatchResponse(DnsClient.java:578) ~[?:1.8.0_271]
> 
> at com.sun.jndi.dns.DnsClient.doUdpQuery(DnsClient.java:426) ~[?:1.8.0_271]
> 
> at com.sun.jndi.dns.DnsClient.query(DnsClient.java:211) ~[?:1.8.0_271]
> 
> at com.sun.jndi.dns.Resolver.query(Resolver.java:81) ~[?:1.8.0_271]
> 
> at com.sun.jndi.dns.DnsContext.c_getAttributes(DnsContext.java:434) ~[?:1.8.0_271]
> 
> at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_getAttributes(ComponentDirContext.java:235) ~[?:1.8.0_271]
> 
> at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:141) ~[?:1.8.0_271]
> 
> at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.getAttributes(PartialCompositeDirContext.java:129) ~[?:1.8.0_271]
> 
> at javax.naming.directory.InitialDirContext.getAttributes(InitialDirContext.java:142) ~[?:1.8.0_271]
> 
> at org.jivesoftware.openfire.net.DNSUtil.srvLookup(DNSUtil.java:224) [xmppserver-4.6.7.jar:4.6.7]
> 
> at org.jivesoftware.openfire.net.DNSUtil.resolveXMPPDomain(DNSUtil.java:121) [xmppserver-4.6.7.jar:4.6.7]
> 
> at org.jivesoftware.openfire.net.SocketUtil.createSocketToXmppDomain(SocketUtil.java:45) [xmppserver-4.6.7.jar:4.6.7]
> 
> at org.jivesoftware.openfire.session.LocalOutgoingServerSession.createOutgoingSession(LocalOutgoingServerSession.java:250) [xmppserver-4.6.7.jar:4.6.7]
> 
> at org.jivesoftware.openfire.session.LocalOutgoingServerSession.authenticateDomain(LocalOutgoingServerSession.java:209) [xmppserver-4.6.7.jar:4.6.7]
> 
> at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.sendPacket(OutgoingSessionPromise.java:264) [xmppserver-4.6.7.jar:4.6.7]
> 
> at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.run(OutgoingSessionPromise.java:242) [xmppserver-4.6.7.jar:4.6.7]
> 
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_271]
> 
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_271]
> 
> at java.lang.Thread.run(Thread.java:748) [?:1.8.0_271]
> 
> Found 1 host(s) for XMPP domain 'openfire.xxxxxx.fr'.
> 
> - srvc2.xxxxxx.fr:5269 (no direct TLS)
> 
> Trying to create socket connection to XMPP domain 'openfire.xxxxxxx.fr' using remote host: srvc2.xxxxxxxx.fr:5269 (blocks up to 120000 ms) ...
> 
> Successfully created socket connection to XMPP domain 'openfire.xxxxxx.fr' using remote host: srvc2.xxxxxxx.fr:5269!
> 
> Opening a new connection to srvc2.xxxxxxx.fr/xxxxxx:5269 that is initially not encrypted.
> 
> Send the stream header and wait for response...
> 
> Got a response (stream ID: xihi0qvll, version: 1.0). Check if the remote server is XMPP 1.0 compliant...
> 
> The remote server is XMPP 1.0 compliant (or at least reports to be).
> 
> Processing stream features of the remote domain...
> 
> Check if both us as well as the remote server have enabled STARTTLS and/or dialback ...
> 
> Both us and the remote server support the STARTTLS feature. Secure and authenticate the connection with TLS & SASL...
> 
> Securing and authenticating connection ...
> 
> Indicating we want TLS and wait for response.
> 
> Received 'proceed' from remote server. Negotiating TLS...
> 
> Configured TrustManager class: org.jivesoftware.openfire.keystore.OpenfireX509TrustManager
> 
> Attempting to instantiate 'class org.jivesoftware.openfire.keystore.OpenfireX509TrustManager' using the three-argument constructor that is properietary to Openfire.
> 
> Constructed trust manager. Number of trusted issuers: 148, accepts self-signed: true, checks validity: true
> 
> Successfully instantiated 'class org.jivesoftware.openfire.keystore.OpenfireX509TrustManager'.
> 
> Attempting to verify a chain of 1 certificates.
> 
> Attempting to accept the self-signed certificate of this chain of length one, as instructed by configuration.
> 
> Chain of one appears to be self-signed. Adding it to the set of trusted issuers.
> 
> Validating chain with 1 certificates, using 131 trust anchors.
> 
> TLS negotiation was successful. Connection secured. Proceeding with authentication...
> 
> SASL authentication failed. Will continue with dialback.
> 
> TLS negotiation was successful so initiate a new stream.
> 
> An exception occurred while creating an encrypted session. Closing connection.
> 
> java.io.EOFException: input contained no data
> 
> at org.xmlpull.mxp1.MXParser.fillBuf(MXParser.java:3003) ~[xpp3-1.1.4c.jar:?]
> 
> at org.xmlpull.mxp1.MXParser.more(MXParser.java:3046) ~[xpp3-1.1.4c.jar:?]
> 
> at org.jivesoftware.openfire.net.MXParser.more(MXParser.java:372) ~[xmppserver-4.6.7.jar:4.6.7]
> 
> at org.xmlpull.mxp1.MXParser.parseProlog(MXParser.java:1410) ~[xpp3-1.1.4c.jar:?]
> 
> at org.jivesoftware.openfire.net.MXParser.nextImpl(MXParser.java:337) ~[xmppserver-4.6.7.jar:4.6.7]
> 
> at org.xmlpull.mxp1.MXParser.next(MXParser.java:1093) ~[xpp3-1.1.4c.jar:?]
> 
> at org.jivesoftware.openfire.session.LocalOutgoingServerSession.secureAndAuthenticate(LocalOutgoingServerSession.java:481) ~[xmppserver-4.6.7.jar:4.6.7]
> 
> at org.jivesoftware.openfire.session.LocalOutgoingServerSession.createOutgoingSession(LocalOutgoingServerSession.java:348) [xmppserver-4.6.7.jar:4.6.7]
> 
> at org.jivesoftware.openfire.session.LocalOutgoingServerSession.authenticateDomain(LocalOutgoingServerSession.java:209) [xmppserver-4.6.7.jar:4.6.7]
> 
> at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.sendPacket(OutgoingSessionPromise.java:264) [xmppserver-4.6.7.jar:4.6.7]
> 
> at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.run(OutgoingSessionPromise.java:242) [xmppserver-4.6.7.jar:4.6.7]
> 
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_271]
> 
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_271]
> 
> at java.lang.Thread.run(Thread.java:748) [?:1.8.0_271]
> 
> Unable to create a new session. Going to try connecting using server dialback as a fallback.
> 
> Creating new outgoing session...
> 
> Creating a socket connection to XMPP domain 'openfire.xxxxxxx.fr' ...
> 
> Use DNS to resolve remote hosts for the provided XMPP domain 'openfire.xxxxxxx.fr' (default port: 5269) ...
> 
> No SRV record found for '_xmpps-server._tcp.xxxxxx.isr.fr.' (cached result)
> 
> Found 1 host(s) for XMPP domain 'openfire.xxxxxxx.fr'.
> 
> - srvc2.xxxxxxx.fr:5269 (no direct TLS)
> 
> Trying to create socket connection to XMPP domain 'openfire.xxxxxxx.fr' using remote host: srvc2.xxxxxxxx.fr:5269 (blocks up to 120000 ms) ...
> 
> Successfully created socket connection to XMPP domain 'openfire.xxxxxxx.fr' using remote host: srvc2.xxxxxxx.fr:5269!
> 
> Send the stream header and wait for response...
> 
> Got a response. Check if the remote server supports dialback...
> 
> Dialback seems to be supported by the remote server.
> 
> Authenticating domain ...
> 
> Sending dialback key and wait for the validation response...
> 
> Connect Socket[addr=/xxxxxxx,port=40532,localport=5269]
> 
> Configured TrustManager class: org.jivesoftware.openfire.keystore.OpenfireX509TrustManager
> 
> Attempting to instantiate 'class org.jivesoftware.openfire.keystore.OpenfireX509TrustManager' using the three-argument constructor that is properietary to Openfire.
> 
> Constructed trust manager. Number of trusted issuers: 148, accepts self-signed: true, checks validity: true
> 
> Successfully instantiated 'class org.jivesoftware.openfire.keystore.OpenfireX509TrustManager'.
> 
> Attempting to verify a chain of 1 certificates.
> 
> Attempting to accept the self-signed certificate of this chain of length one, as instructed by configuration.
> 
> Chain of one appears to be self-signed. Adding it to the set of trusted issuers.
> 
> Validating chain with 1 certificates, using 131 trust anchors.
> 
> Logging off openfire.ccp2.isr.fr/2ujrlxe2s7 on org.jivesoftware.openfire.net.SocketConnection@12af010b socket: Socket[addr=/xxxxxxx,port=40532,localport=5269] session: LocalIncomingServerSession{address=openfire.xxxxxx.fr/2ujrlxe2s7, streamID=2ujrlxe2s7, status=1 (connected), isSecure=true, isDetached=false, isUsingServerDialback=true, localDomain=openfire.ccp2.isr.fr, defaultIdentity=openfire.avion1.isr.fr, validatedDomains={}}
> 
> Closing session: LocalIncomingServerSession{address=openfire.xxxxxx.fr/2ujrlxe2s7, streamID=2ujrlxe2s7, status=1 (connected), isSecure=true, isDetached=false, isUsingServerDialback=true, localDomain=openfire.ccp2.isr.fr, defaultIdentity=openfire.xxxxxxx.fr, validatedDomains={}}
> 
> Failed to deliver stream close tag: Socket closed
> 
> Failed to authenticate domain: the validation response was received, but did not grant authentication.
> 
> Failed to authenticate the connection with dialback.
> 
> Unable to create a new outgoing session
> 
> Unable to create a new session: Dialback (as a fallback) failed.
> 
> Unable to authenticate: Fail to create new session.
> 
> Successful server to server response received.
> 
> Failed to establish server to server session.

If i read correctly the logs, i think my servers communicate perfectly but when SASL Authentication begin, for an unknown reason, the authentication fail and that close my connection…

Thanks for the help

Matt

2

Hi Matt. I’m not exactly sure what’s going on. It might be worth to also look at the logs of the server on the other end.

What we seem to be seeing in this log, is that this server does two attempts to authenticate a S2S connection to the remote server (which is not out of the ordinary), and both fail.

The second attempt (which is based on Dialback, an older technology used as a fallback), fails because the other server explicitly denied the attempt. In this log, we don’t see why, but maybe that’s shown in the logs of the other server.

One thing that might explain this if you configured this server to allow for self-signed certificates to be used during S2S, but forgot to apply the same configuration to the other server.

3

Hi guus, Thanks you for your response.

I just gave you the logs of one server but it’s because the logs of the second server are basically the same.

I have the same configuration on both servers so i really don’t know why the connexion failed to authenticate.

In order to try every possibility, i also tried with no TLS on 5269 port and again, it’s a total failure…

I will retry with both servers on “allow for self signed certificates” and i’ll see what will happen.

If i modify a parameters on the administration console, do i need to restart manually openfire service on my debian?

Again, thanks for your help

4

Hi,

I found that i have a big loss on my INMARSAT connexion, Could it be a problem to initiate the SASL Authentication?

I have a least 1 to 5 packets loss on my ping S2S…

5

Could be a problem with INMARSAT latency (which is 700-1100 ms) and the 12 round trips, which is what a cold XMPP S2S setup normally takes. You may want to read Slow Data. This article makes recommendations on how to reduce the number of round trips:

  • DNS caching and TLS session resumption would reduce the number from 12 RTTs to 9
  • Going to TLS directly (see XEP-0368) gains another 2 RTTs - so we’d be now down to 7. – For DirectTLS you may want to enable ‘old SSL’ and set the _xmpps-server SRV DNS record (which is shown as an error in your logs).

Have you already tried to increase the Openfire S2S timeout settings?

  • xmpp.server.outgoing.threads-timeout is set to 1 minute. Not sure how long a cold S2S setup takes over INMARSAT.
1 Like
6

Hi grutto

Thanks for the tips but although i read your articles, i still don’t understand how to implement DNS caching and TLS session resumption… The article explain the principle to reduce latency but don’t explain how to do that on my openfire. I mean what are the options i need to modify in my administration console?

I modified my openfire and deactivate STARTTLS and just left “old SSL” activated and i also add your xmpp properties so i hope that will be enough.

7

DNS caching and TLS session resumption should already be activated in your Openfire.
You can view the DNS cache: Server Manager => Cache Summary => DNS Records.
TLS stream resumption is described in XEP-0198 . You can view the Openfire settings for XEP-0198 in System Properties:

image
image1058×519 63 KB

The DirectTLS-based server-to-server port is 5270 (see OF-2369 improvement in version 4.7.0).

DNS settings are crucial to get S2S federation to work. Most people forget to add the SRV records for the Openfire sub-domains, e.g.

But since you use Openfire over INMARSAT, you may also try to use the ‘dnsutil.dnsOverride’ property of Openfire (see github). This article explains how to use it.