Some Clients cannot connect when tls is enabled

Martijn_S · July 17, 2013, 2:36pm

Hi some of our xmpp clients (devices) can not open a session to the Openfire server when tls is enabled.

Lots of other clients can but some just can not

Logs on the server side:

2013.07.17 15:11:09 org.jivesoftware.openfire.nio.ConnectionHandler - ConnectionHandler reports IOException for session: (SOCKET, R: /x.x.x.x:1470, L: y.y.y.y:5222, S: 0.0.0.0/0.0.0.0:5222)

at java.lang.Thread.run(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)

at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:51)

at org.apache.mina.transport.socket.nio.SocketIoProcessor$Worker.run(SocketIoProce ssor.java:485)

at org.apache.mina.transport.socket.nio.SocketIoProcessor.access$400(SocketIoProce ssor.java:45)

at org.apache.mina.transport.socket.nio.SocketIoProcessor.process(SocketIoProcesso r.java:198)

at org.apache.mina.transport.socket.nio.SocketIoProcessor.read(SocketIoProcessor.j ava:218)

at sun.nio.ch.SocketChannelImpl.read(Unknown Source)

at sun.nio.ch.IOUtil.read(Unknown Source)

at sun.nio.ch.IOUtil.readIntoNativeBuffer(Unknown Source)

at sun.nio.ch.SocketDispatcher.read(Unknown Source)

at sun.nio.ch.FileDispatcher.read0(Native Method)

java.io.IOException: Connection reset by peer

When I disable tls on the Openssl server connecting is no problem but that is ofcourse not what we want

The old ssl option only seems to be not secure (no lock symbol in the session list for that session)

It seems the client drops the connection but why?

-Updated openssl on the client

-installed java 1.5 on the server

Any clue or where to seek at the client side (ubuntu 10.04 tls device) long time not updated because of traffic consumption issue (its a 2G/3G device)

Maybe old tls ciphers at client site or something?

Kind regards

Martijn S.

Thatd_Osntmatter · July 17, 2013, 3:24pm

Hey Martin,

I eventually have a similar problem when using PSI as a client to connect to my Openfire 3.8.2 Server. When i Use the version 0.14 where I can enable “Probe legacy SSL port”, i’m able to connect to my server. When I uncheck this Box, the connection will fail without an error message. The same when using Psi 0.15 or Psi+, becouse both don’t support this feature anymore. Other Clients work well like yaxim or xabber on Andoid or Gajim or Trillian on Windows.

It seems to have something to do wit this old SSL method,but I don’t have any idea where to look for a solution. Also I’m not very deep into this whole SSL / TLS Thing

Martijn_S · July 18, 2013, 8:58am

Hi Sahhak,

Thanks for your reply.

It is indeed a client issue that I know for sure. We use gloox as a xmpp client. The gloox libraries in relation to our own produced device software version is causing these poblems on older devices. We cannot update our custom software on those older devices. They are end of live.

We must hack into the source code of the gloox libraries used and disable tls negotiation altogether for the troublesome devices (or replace them with newer devices)

Thatd_Osntmatter · July 23, 2013, 9:11am

Hmm too bad, I was hoping that anybody has an Idea on how to fix this on the server side. At the moment I’m using another Client, but would like to use PSI again. Unfortunately this client doesn’t work as I told before.

Maybe there is a “Fix”, if it is a bug in Openfire 3.8.2, in a future release.