Server to server connection problems

Jason_Zeleznik · January 27, 2006, 4:45pm

When I try to add a user from a different server my server only establishes an outgoing connection. My error log reads…

2006.01.27 11:48:16 [org.jivesoftware.wildfire.server.OutgoingServerSession.createOutgoingSession(O utgoingServerSession.java:323)

] Error creating secured outgoing session to remote server: test-xmpp-win.disa.mil(DNS lookup: test-xmpp-win.disa.mil:5269)

javax.net.ssl.SSLHandshakeException: General SSLEngine problem

at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Unknown Source)

at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source)

at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(Unknown Source)

at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(Unknown Source)

at javax.net.ssl.SSLEngine.wrap(Unknown Source)

at org.jivesoftware.wildfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.jav a:259)

at org.jivesoftware.wildfire.net.TLSStreamHandler.(TLSStreamHandler.java:145)

at org.jivesoftware.wildfire.net.SocketConnection.startTLS(SocketConnection.java:1 50)

at org.jivesoftware.wildfire.server.OutgoingServerSession.secureAndAuthenticate(Ou tgoingServerSession.java:351)

at org.jivesoftware.wildfire.server.OutgoingServerSession.createOutgoingSession(Ou tgoingServerSession.java:304)

at org.jivesoftware.wildfire.server.OutgoingServerSession.authenticateDomain(Outgo ingServerSession.java:141)

at org.jivesoftware.wildfire.server.OutgoingSessionPromise.createSessionAndSendPac ket(OutgoingSessionPromise.java:126)

at org.jivesoftware.wildfire.server.OutgoingSessionPromise.access$300(OutgoingSess ionPromise.java:37)

at org.jivesoftware.wildfire.server.OutgoingSessionPromise$1$1.run(OutgoingSession Promise.java:91)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.lang.Thread.run(Unknown Source)

Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)

at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(Unknown Source)

at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)

at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)

at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)

at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)

at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Unknown Source)

at java.security.AccessController.doPrivileged(Native Method)

at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Unknown Source)

at org.jivesoftware.wildfire.net.TLSStreamHandler.doTasks(TLSStreamHandler.java:31 0)

at org.jivesoftware.wildfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.jav a:220)

… 11 more

Caused by: java.security.cert.CertificateException: root certificate not trusted of John Doe, OU=XMPP, O=Jive Software, L=Portland, ST=OR, C=US

at org.jivesoftware.wildfire.net.ServerTrustManager.checkServerTrusted(ServerTrust Manager.java:132)

at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(Unknown Source)

… 19 more

2006.01.27 11:48:16 [org.jivesoftware.wildfire.net.SocketReader.run(SocketReader.java:159)

] Connection closed before session established

Socket[addr=/10.10.3.204,port=1039,localport=5269]

And the debug log reads…

2006.01.27 11:46:11 Connect Socket[addr=/10.10.3.40,port=1731,localport=5222]

2006.01.27 11:46:30 Connect Socket[addr=/10.10.3.40,port=1733,localport=5222]

2006.01.27 11:48:16 OS - Trying to connect to test-xmpp-win.disa.mil:5269

2006.01.27 11:48:16 OS - Plain connection to test-xmpp-win.disa.mil:5269 successful

2006.01.27 11:48:16 OS - Indicating we want TLS to test-xmpp-win.disa.mil

2006.01.27 11:48:16 OS - Negotiating TLS with test-xmpp-win.disa.mil

2006.01.27 11:48:16 OS - Going to try connecting using server dialback

2006.01.27 11:48:16 OS - Trying to connect to test-xmpp-win.disa.mil:5269

2006.01.27 11:48:16 OS - Connection to test-xmpp-win.disa.mil:5269 successful

2006.01.27 11:48:16 OS - Sent dialback key to host: test-xmpp-win.disa.mil id: 175fcdc1 from domain: test-dd.disa.mil

2006.01.27 11:48:16 Connect Socket[addr=/10.10.3.204,port=1039,localport=5269]

2006.01.27 11:48:16 AS - Verifying key for host: test-xmpp-win.disa.mil id: 175fcdc1

2006.01.27 11:48:16 AS - Key was: VALID for host: test-xmpp-win.disa.mil id: 175fcdc1

2006.01.27 11:48:16 AS - Connection closed for host: test-xmpp-win.disa.mil id: 175fcdc1

2006.01.27 11:48:16 OS - Validation GRANTED from: test-xmpp-win.disa.mil id: 175fcdc1 for domain: test-dd.disa.mil

Gaston_Dombiak · January 27, 2006, 5:44pm

Hey Jason,

Wildfire will first try to use TLS (i.e. encrypted/secured connection) for server-to-server communication. If that fails then the fallback method is to use server dialback over a plain connection.

The error that you are seeing is that TLS failed to be negotiated because the certificate presented by the other server has a not trusted root Certificate Authority. Anyway, the servers then tried to use server dialback and the server-to-server communication was successful but using a plain (i.e. not secured connection).

If you want to use TLS for s2s then you will have to configure the remote server or ask the admin of the remote server to use valid certificates. That means, that the certificate has to be signed by a trusted certificate authority. Out of the box Wildfire will consider certificates signed by cacert.org as trusted so you can get free signed certificates now.

Useful links:

http://www.jivesoftware.org/builds/wildfire/docs/latest/documentation/ssl-guide. html

https://www.cacert.org/index.php

http://www.jivesoftware.org/community/entry.jspa?externalID=492&categoryID=22

Regards,

– Gato

Jason_Zeleznik · January 27, 2006, 7:20pm

OK, but why is it not completing the 2-way connection? I can not add users from the other wildfire server to my contact list.

Jim_Graves · February 24, 2006, 5:49pm

I’‘m getting the same error with connection attempts from another server. I don’‘t control the other server, but I do know that server’‘s admin, and he’'s getting error log spam from the rejections. Making him use a cert with a root Wildfire likes is not an option.

So, is there a way either to:

(a) Configure Wildfire not to care whether the cert is “valid” (rationale: I don’‘t care if the remote server is who it claims it is; I just want the certs to be used for encryption bootstrapping, not validation of identity, and I’'m not worried about MITM attacks), or

(b) import the remote server’‘s cert into my local certificate store so that it’'s seen as valid?

If so, instructions would be appreciated. I tried importing the remote server’'s cert using the Security Settings page, but all I get is the error message “Error installing the certificate.”

Thanks.

Gaston_Dombiak · February 25, 2006, 3:29am

Hey jgraves,

The document Turning some certificates validations on/off[/url] might be what you are looking for. In short, set the xmpp.server.certificate.verify system property to false to disable certificates validation. However, that will only affect your server to accept certificates presented by other remote servers. But you will also have to make some changes to the remote server to accept your self-signed certificates too. If the other server is a Wildfire server then the same suggestion applies.

Regards,

– Gato

Made URL smaller.

Message was edited by: dombiak_gaston

Jim_Graves · February 27, 2006, 4:31pm

Thanks for the response. That link takes me to a page that says the document can’'t be found, however.

Gaston_Dombiak · February 27, 2006, 4:49pm

Hey jgraves,

Sorry about that. I made the URL smaller so now no white spaces are added to the link.

Thanks,

– Gato