Secured S2S - but no Server is secured

Hi, i got a problem:

I run openfire 3.3.2 on a virtual machine behind a nat-firewall. the Problem: NO incoming and only a few outgoing Server-to-server connections are secured.

I forward these Ports: 5222 5223 5269 9091 TCP and UDP to the VM and all outgoing connections are relayed with nat. its works fine - s2s and c2s is working fine (c2s also ssl and tls secured).

my settings:

• client and serversecurity is optional

• i got RSA and DSA certificate by CAcert.

• manually added these settings:

xmpp.server.certificate.accept-selfsigned true

xmpp.server.certificate.verify false

currently i have been connected to 14 servers - only 2 outgoing and no incoming connection is secured. the swissjabber server support s2s-security (they postet a news to s2s on there site) but there is no secured connection to them.

can someone help me?

Thx.

Hmm, i went to SSL-Settings and switch to “required”

Now, jabber.freenet.de is full secured - but i only have 2 servers online. (and i got more in my roaster - so a reconnect must fix it - but i doesn’'t)

so, i don’'t have an idea anymore …

bigdaddy wrote:

• i got RSA and DSA certificate by CAcert.

Maybe that’‘s the problem. The CAcert certificate is not included in any default install, so they don’'t trust that one.

so a selfsigned cert is better one?

i can’'t belive

Hi

I have experienced something similar. I haven’‘t connected to as many other servers as you but I haven’'t found another server that I can connect to on a fully secured (both ways) connection. Like you I accept self-signed certificates. I have an XMPP federation signed Certificate.

The problem is that I still cannot be sure if there is anything wrong with my configuration or not as it is not exactly clear what fails each time. I did ask Ignite if they had considered providing a capability to test against a secured server but I do realise that is a bit of an overhead for them. I have considered setting up another server in my environment to test against but I just haven’'t had the time. If you want to do some testing against my server so that we can see if we can sort this out I would be happy to help (however, I am traveling at the moment so there might be a bit of a delay in responses - I am at GMT+7).

Best Regards

David

bigdaddy wrote:

so a selfsigned cert is better one?

No, a certificate signed by someone whose root cert is included with the major OS would be best.

this sounds logical - so if they don’'t know ca-cert, they deny the secured connection.

but there are more outgoing secured connections as incoming ones. So i don’'t accept there certificate i think?!

but i thought that i disabled all checks with the parameters (see above).

my server is currently not connected to any fullsecured server

ok, i installed ca-certificates package from debian witch have cacert-certs included.

nothing changed. (restarted the server)

then i put on debuglogs and closed the connection to jabber.ccc.de - a large german jabber-server. after that i spoke to friend on the server that the connection reestablished. he answered and there are in both directions NO secured connection.

This is the log but i dont unterstand it:

“2007.07.16 00:29:41 SubjectAltName of invalid type found: [” <<< what?

2007.07.16 00:29:35 Finishing Outgoing Server Reader. Closing session: org.jivesoftware.openfire.session.OutgoingServerSession@dfd643 status: -1 address: jabber.ccc.de id: 6a02b614ff0c0597a5e8d273153f963eb5db0728

java.net.SocketException: Socket closed

at java.net.SocketInputStream.socketRead0(Native Method)

at java.net.SocketInputStream.read(SocketInputStream.java:129)

at org.jivesoftware.openfire.net.ServerTrafficCounter$InputStreamWrapper.read(Serv erTrafficCounter.java:201)

at sun.nio.cs.StreamDecoder$CharsetSD.readBytes(StreamDecoder.java:411)

at sun.nio.cs.StreamDecoder$CharsetSD.implRead(StreamDecoder.java:453)

at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:183)

at java.io.InputStreamReader.read(InputStreamReader.java:167)

at org.xmlpull.mxp1.MXParser.fillBuf(MXParser.java:2992)

at org.xmlpull.mxp1.MXParser.more(MXParser.java:3046)

at org.jivesoftware.openfire.net.MXParser.nextImpl(MXParser.java:75)

at org.xmlpull.mxp1.MXParser.nextToken(MXParser.java:1100)

at org.dom4j.io.XMPPPacketReader.parseDocument(XMPPPacketReader.java:317)

at org.jivesoftware.openfire.server.OutgoingServerSocketReader$1.run(OutgoingServe rSocketReader.java:92)

2007.07.16 00:29:35 Logging off jabber.ccc.de on org.jivesoftware.openfire.net.SocketConnection@1ff563 socket: Socket[addr=/217.10.9.40,port=52469,localport=5269] session: org.jivesoftware.openfire.session.IncomingServerSession@16be7ee status: -1 address: jabber.ccc.de id: 76d5c44d

2007.07.16 00:29:36 OSCAR bos snac packet received: SnacPacketEvent: snacProcessor=ClientSnacProcessor: lastreqid=25, requests: 25, paused=false, snacPacket=SnacPacket type 0x3/0xb: 462 bytes (id=2461239128), snacCommand=BuddyStatusCmd: userinfo=UserInfo for 82986538: flags=0x71 (MASK_AWAY | MASK_FREE | MASK_UNCONFIRMED | 0x40), ICQ status=ICQSTATUS_NA | ICQSTATUS_AWAY | 0x20010000, memberSince=Tue Jul 25 06:40:11 CEST 2000, sessLenAim=509min, onSince=Sun Jul 15 15:57:55 CEST 2007, away, extraInfos=[ExtraInfoBlock: type=0x2 (TYPE_AVAILMSG), extraData=<ExtraInfoData: flags=0x4 (FLAG_AVAILMSG_PRESENT), data=00 fa 4d c3 bc 6e 73 74 65 72 20 5b 31 36 3a 34 30 5d 20 2d 20 77 65 63 68 2e 20 6d 6f 62 69 6c 2e 3c 62 72 2f 3e 3c 62 72 2f 3e 6a 69 64 3a 20 66 6c 69 62 62 6f 40 6a 61 62 62 65 72 2e 63 63 63 2e 64 65 3c 62 72 2f 3e 3c 62 72 2f 3e 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 20 57 69 6e 41 6d 70 20 72 6f 63 6b 74 20 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 3c 62 72 2f 3e 4e 69 67 68 74 6d 61 72 65 73 20 4f 6e 20 57 61 78 20 2d 20 4c 65 73 20 4e 75 69 74 73 3c 62 72 2f 3e 3c 62 72 2f 3e 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 20 53 6f 66 74 57 61 72 65 20 4e 65 77 73 20 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 3c 62 72 2f 3e 44 69 76 58 20 36 2e 36 20 2d 20 77 77 77 2e 64 69 76 78 2e 63 6f 6d 3c 62 72 2f 3e 57 69 6e 52 00 00>, ExtraInfoBlock: type=0xd (null), extraData=<ExtraInfoData: flags=0x4 (FLAG_AVAILMSG_PRESENT), data=46 9a 9f 64>], extraTlvs=[TLV: type=0xc, length=37 - hex: c0 a8 00 ea 00 00 c3 68 04 00 08 00 00 00 00 00 00 00 50 00 00 00 03 7f ff ff ff 00 03 09 00 00 00 00 00 00 00, TLV: type=0xa, length=4, uint value=1401415956: 53 87 e9 14, TLV: type=0x27, length=4, uint value=1184538468: 46 9a 9f 64], longcaps: [] - FlapPacketEvent: flapProcessor=FlapProcessor: seqNum=SeqNum: min=0, max=65535, last(current)=26, flapCommand=SnacFlapCmd: packet=SnacPacket type 0x3/0xb: 462 bytes (id=2461239128), flapPacket=FlapPacket (channel=2, seq=53238)

2007.07.16 00:29:36 OSCAR snac packet received: SnacPacketEvent: snacProcessor=ClientSnacProcessor: lastreqid=25, requests: 25, paused=false, snacPacket=SnacPacket type 0x3/0xb: 462 bytes (id=2461239128), snacCommand=BuddyStatusCmd: userinfo=UserInfo for 82986538: flags=0x71 (MASK_AWAY | MASK_FREE | MASK_UNCONFIRMED | 0x40), ICQ status=ICQSTATUS_NA | ICQSTATUS_AWAY | 0x20010000, memberSince=Tue Jul 25 06:40:11 CEST 2000, sessLenAim=509min, onSince=Sun Jul 15 15:57:55 CEST 2007, away, extraInfos=[ExtraInfoBlock: type=0x2 (TYPE_AVAILMSG), extraData=<ExtraInfoData: flags=0x4 (FLAG_AVAILMSG_PRESENT), data=00 fa 4d c3 bc 6e 73 74 65 72 20 5b 31 36 3a 34 30 5d 20 2d 20 77 65 63 68 2e 20 6d 6f 62 69 6c 2e 3c 62 72 2f 3e 3c 62 72 2f 3e 6a 69 64 3a 20 66 6c 69 62 62 6f 40 6a 61 62 62 65 72 2e 63 63 63 2e 64 65 3c 62 72 2f 3e 3c 62 72 2f 3e 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 20 57 69 6e 41 6d 70 20 72 6f 63 6b 74 20 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 3c 62 72 2f 3e 4e 69 67 68 74 6d 61 72 65 73 20 4f 6e 20 57 61 78 20 2d 20 4c 65 73 20 4e 75 69 74 73 3c 62 72 2f 3e 3c 62 72 2f 3e 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 20 53 6f 66 74 57 61 72 65 20 4e 65 77 73 20 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 3c 62 72 2f 3e 44 69 76 58 20 36 2e 36 20 2d 20 77 77 77 2e 64 69 76 78 2e 63 6f 6d 3c 62 72 2f 3e 57 69 6e 52 00 00>, ExtraInfoBlock: type=0xd (null), extraData=<ExtraInfoData: flags=0x4 (FLAG_AVAILMSG_PRESENT), data=46 9a 9f 64>], extraTlvs=[TLV: type=0xc, length=37 - hex: c0 a8 00 ea 00 00 c3 68 04 00 08 00 00 00 00 00 00 00 50 00 00 00 03 7f ff ff ff 00 03 09 00 00 00 00 00 00 00, TLV: type=0xa, length=4, uint value=1401415956: 53 87 e9 14, TLV: type=0x27, length=4, uint value=1184538468: 46 9a 9f 64], longcaps: [] - FlapPacketEvent: flapProcessor=FlapProcessor: seqNum=SeqNum: min=0, max=65535, last(current)=26, flapCommand=SnacFlapCmd: packet=SnacPacket type 0x3/0xb: 462 bytes (id=2461239128), flapPacket=FlapPacket (channel=2, seq=53238)

2007.07.16 00:29:38 OS - Trying to connect to jabber.ccc.de:5269(DNS lookup: jabberd.jabber.ccc.de:5265)

2007.07.16 00:29:38 OS - Plain connection to jabber.ccc.de:5269 successful

2007.07.16 00:29:38 OS - Going to try connecting using server dialback with: jabber.ccc.de

2007.07.16 00:29:38 OS - Trying to connect to jabber.ccc.de:5269(DNS lookup: jabberd.jabber.ccc.de:5263)

2007.07.16 00:29:38 OS - Connection to jabber.ccc.de:5269 successful

2007.07.16 00:29:38 OS - Sent dialback key to host: jabber.ccc.de id: 41e94d79ee72daf2960977185e98f2b347dc28f3 from domain: nnga.info

2007.07.16 00:29:38 Connect Socket[addr=/217.10.9.40,port=56646,localport=5269]

2007.07.16 00:29:38 AS - Verifying key for host: jabber.ccc.de id: 41e94d79ee72daf2960977185e98f2b347dc28f3

2007.07.16 00:29:38 AS - Key was: VALID for host: jabber.ccc.de id: 41e94d79ee72daf2960977185e98f2b347dc28f3

2007.07.16 00:29:38 AS - Connection closed for host: jabber.ccc.de id: 41e94d79ee72daf2960977185e98f2b347dc28f3

2007.07.16 00:29:38 Verbindung beendet bevor Sitzung hergestellt wurde

Socket[addr=/217.10.9.40,port=56646,localport=5269]

2007.07.16 00:29:38 OS - Validation GRANTED from: jabber.ccc.de id: 41e94d79ee72daf2960977185e98f2b347dc28f3 for domain: nnga.info

2007.07.16 00:29:41 Finishing Outgoing Server Reader. Closing session: org.jivesoftware.openfire.session.OutgoingServerSession@17e982f status: 1 address: jabber.freenet.de id: 779832325

java.io.EOFException: no more data available - expected end tag </stream:stream> to close start tag stream:stream from line 1, parser stopped on END_TAG seen …r:server:dialback’’ id=’‘779832325’’ version=’‘1.0’’>stream:features/… @1:187

at org.xmlpull.mxp1.MXParser.fillBuf(MXParser.java:3035)

at org.xmlpull.mxp1.MXParser.more(MXParser.java:3046)

at org.jivesoftware.openfire.net.MXParser.nextImpl(MXParser.java:75)

at org.xmlpull.mxp1.MXParser.nextToken(MXParser.java:1100)

at org.dom4j.io.XMPPPacketReader.parseDocument(XMPPPacketReader.java:317)

at org.jivesoftware.openfire.server.OutgoingServerSocketReader$1.run(OutgoingServe rSocketReader.java:92)

2007.07.16 00:29:41 SubjectAltName of invalid type found: [

[

Version: V3

Subject: CN=nnga.info

Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

Key: Sun RSA public key, 1024 bits

modulus: 1272770221097425002682398891828996663676380881149099915964429678490386417202550 69934830681189181263508050527689115022595368543764181194229645651688462828701906 20696300742232330378846643700458230513965927172580926787573488027544491994478289 9919895508760067778089965776387559178866582311694528100028944780968553

public exponent: 65537

Validity: [From: Mon Jun 25 00:18:28 CEST 2007,

To: Fri Dec 21 23:18:28 CET 2007]

Issuer: EMAILADDRESS=support@cacert.org, CN=CA Cert Signing Authority, OU=http://www.cacert.org, O=Root CA

SerialNumber:

Certificate Extensions: 5

: ObjectId: 2.5.29.17 Criticality=false

SubjectAlternativeName [

DNSName: nnga.info, Other-Name: Unrecognized ObjectIdentifier: 1.3.6.1.5.5.7.8.5]

: ObjectId: 2.5.29.15 Criticality=false

KeyUsage [

DigitalSignature

Key_Encipherment

]

: ObjectId: 2.5.29.37 Criticality=false

ExtendedKeyUsages [

]

: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false

AuthorityInfoAccess [

[accessMethod: 1.3.6.1.5.5.7.48.1

accessLocation: URIName: http://ocsp.cacert.org/]

]

: ObjectId: 2.5.29.19 Criticality=true

BasicConstraints:[

CA:false

PathLen: undefined

]

]

Algorithm:

Signature:

0000: AA C6 E2 FC B6 1E BE DC 7A DE F9 C0 3C 8D FF 35 …z…<…5

0010: 6B 72 70 3D D8 62 86 A8 A1 B2 F7 FC 79 A9 01 8D krp=.b…y…

0020: 8C 88 0B B1 57 61 32 1A DD F1 57 6C 5C 0C 73 19 …Wa2…Wl.s.

0030: 44 E3 94 16 66 7D 44 2E B5 37 27 84 75 27 26 14 D…f.D…7’’.u’’&.

0040: 1F C8 6C 1E FA 1C D2 5E 18 F9 4B 99 81 9A 61 BB …l…^…K…a.

0050: 0C C4 46 EC C0 FE 97 0E 18 D5 F5 64 11 5D DF 98 …F…d.]…

0060: 2B 4F 45 64 EB 12 E0 62 5D BF 1F F7 48 F9 94 EE +OEd…b]…H…

0070: EE FF A3 6D 0B 2D D7 B1 25 05 57 AB 3C B5 C7 86 …m.-…%.W.<…

0080: 64 FF 10 7E 72 6B 60 47 B6 40 E2 64 AE 2F AD BE d…rk`G.@.d./…

0090: 48 58 56 6B F1 C0 DB 56 68 AB D0 0D 88 47 7D 09 HXVk…Vh…G…

00A0: 5F EF 49 E7 4E 29 43 E7 76 12 77 77 65 0C BC 4A _.I.N)C.v.wwe…J

00B0: B3 01 45 60 97 E7 4F 94 6D 19 98 77 BD D4 7D 0D …E`…O.m…w…

00C0: 4A E8 64 1F C8 AD BA 97 FA AD EB B7 8F 3C 9F E6 J.d…<…

00D0: 91 93 05 65 BB 3F 12 73 1C 8B D6 A8 69 9F D0 30 …e.?.s…i…0

00E0: 07 5E 17 27 0A 57 8F AD 46 0B 81 BC 3C 78 BC D1 .^.’’.W…F…<x…

00F0: 5E F9 E4 72 23 07 3E DA F8 33 68 80 A0 1A 29 58 ^…r#.>…3h…)X

0100: 41 78 72 4D 19 18 86 3E F5 DF 82 9C 9A 04 8E 9C AxrM…>…

0110: F1 5C A5 85 85 C7 A9 10 E9 4C B3 BB DA 45 D2 BD …L…E…

0120: AE AE E2 F2 EC 0A 6C 86 0F 65 52 83 49 E6 2D BF …l…eR.I.-.

0130: C6 BB 00 EF EC 62 69 2E 67 9D 76 0C AC 28 73 89 …bi.g.v…(s.

0140: 55 E9 6F 75 CC 19 47 02 9E 5A 86 D4 E6 52 65 60 U.ou…G…Z…Re`

0150: E9 2A 5B 13 08 4E 98 19 43 79 12 20 C9 42 86 77 .*[…N…Cy. .B.w

0160: 0F B0 E5 51 09 AF 8D C6 A2 2A B9 27 0C 65 90 44 …Q…*.’’.e.D

0170: 8F F1 2F 93 DA 3C C4 0F 24 E2 CA 54 10 8A 4B 28 …/…<…$…T…K(

0180: AA 46 98 B6 C7 7B 18 88 C4 87 C2 E5 FC EB 9F FC .F…

0190: 24 7D 4A 99 DF 6E 6F 0B 01 48 34 9A 06 B3 AE B7 $.J…no…H4…

01A0: E1 26 8B AA 41 5E 9B D9 63 F5 39 62 E2 7B 80 A3 .&…A^…c.9b…

01B0: 00 7A 6D 23 0E C3 1D C0 5F 6A B5 CB 47 5D 3F A3 .zm#…_j…G]?.

01C0: 35 27 6D E2 66 EF FD 4D 78 BE 68 20 D1 C9 03 1C 5’'m.f…Mx.h …

01D0: 52 11 DD 23 35 EB 8D 18 BA BC 66 2E 20 B2 EC D2 R…#5…f. …

01E0: 58 F4 0A E7 A8 CE BD 35 17 31 A0 16 E5 97 28 6A X…5.1…(j

01F0: 42 26 2C CA 3A 53 54 93 1B BA 00 CE 98 B1 9D 8A B&,.:ST…

]

2007.07.16 00:29:47 EOF

Message was edited by: bigdaddy

Hi

According to Gato “SubjectAltName of invalid type found” should not be a problem but it may be worth checking as he outlined below.

"A certificate may have several subjectAltNames and each one could be of different types (for different usages). Openfire will print the SubjectAltName of invalid type found debug message when a subjectAltName that does not contain the XMPP spec is found. This is not an error but just debugging information. The server iterates on all the subjectAltNames trying to find the one that contains XMPP info and if none was found then it will use the info contained in the common name.

Having said that, if the certificate has an incorrect CM and no subjectAltName with XMPP info or with XMPP info but with incorrect data (e.g. incorrect XMPP domain) then the server will fail to accept the certificate of the remote server. As a simple test, you can disable certificates verification and see if TLS is still used. To disable cert verification set the system property xmpp.server.certificate.verify to false (no need to restart the server). If TLS is failing to work then the error is something else."