powered by Jive Software

Server2Server and TLS

Hi,

I’'am getting some TLS-Exceptions while creating encrypted s2s-connections to another Openfire-Server. Only an unencrypted connection is possible.

Both servers are running Openfire 3.3.0. The settings are:

Client Connection Security -> Optional

Server Connection Security -> Optional

I have access to both servers.

The exception in error-log:

2007.05.01 10:42:27 org.jivesoftware.openfire.net.SocketReadingMode.negotiateTLS(SocketReadingMode.j ava:75) Error while negotiating TLS: org.jivesoftware.openfire.net.SocketConnection@bcdcea socket: Socket[addr=/137.226.127.131,port=49709,localport=5269] session: org.jivesoftware.openfire.session.IncomingServerSession@47501a status: 1 address: test-jabber.dyndns.org/f358851b id: f358851b

javax.net.ssl.SSLException: Unsupported record version Unknown-47.115

at com.sun.net.ssl.internal.ssl.EngineInputRecord.bytesInCompletePacket(Unknown Source)

at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(Unknown Source)

at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(Unknown Source)

at javax.net.ssl.SSLEngine.unwrap(Unknown Source)

at org.jivesoftware.openfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.jav a:211)

at org.jivesoftware.openfire.net.TLSStreamHandler.start(TLSStreamHandler.java:157)

at org.jivesoftware.openfire.net.SocketConnection.startTLS(SocketConnection.java:1 64)

at org.jivesoftware.openfire.net.SocketReadingMode.negotiateTLS(SocketReadingMode. java:72)

at org.jivesoftware.openfire.net.BlockingReadingMode.readStream(BlockingReadingMod e.java:126)

at org.jivesoftware.openfire.net.BlockingReadingMode.run(BlockingReadingMode.java: 62)

at org.jivesoftware.openfire.net.SocketReader.run(SocketReader.java:120)

at java.lang.Thread.run(Unknown Source)

Any ideas?

thanks in advance,

Coolcat

Hi coolcat,

if you want to have S2S with TLS, you have to add this system property on each server :

name : xmpp.server.certificate.verify

value : false

Your two servers are (I suppose) self-signed, and that doesn’'t permit to have TLS connection by default.

If you don’'t want to add this property, you can add a certificate for each server, but you have to find a CA.

Best regards,

Deamonyx

deamonyx wrote:

name : xmpp.server.certificate.verify

value : false

thx, it works now.

I have a key and certificate for one of the servers, but I got some errors while importing them.

I will try it again this evening (GMT+2), and post the error-message here.

Coolcat