Secured S2S connections with software other than Openfire

Hey folks,

This is on a related note to my other thread about XMPP issued certificates, but since that issue was resolved (by getting certificates re-issued), I’m putting this issue in a new thread.

The problem I encountered is the following:

For secured server to server (s2s) connections, using both self-signed and CA-signed certificates, everything checks out fine between my live Openfire server and test Openfire server. However, when trying to make a similar connection to other jabber servers in the public network, it doesn’t work. The difference being:

  • Between 2 openfire servers, after TLS has been negotiated, the servers authenticate with SASL EXTERNAL (which according to the devs here, is bundeled with using TLS for s2s).

  • Between openfire and other servers (I tried several that support TLS, all with the same result!), TLS is negotiated successfully, but then I get the message “Error, no SASL mechanisms were offered by (server name)”, and it closes TLS with the option to use plaintext (unencrypted) dialback instead.

So, obviously, other jabber software doesn’t offer SASL, or offers it in a way different than what Openfire expects. Since I, and my users, prefer encrypted streams where possible, I want to be able to have encrypted s2s connections to other jabber servers, even if they don’t offer all the “expected” options for authentication.

I’ve scanned over the source to see where the connection debug messages come from, and at first glance (but I’m no java programmer) it doesn’t seem too hard to add a property that could skip SASL – Or would this not work? (to me it seems an optional step to have extra verification of the remote server)