Hi, fairly new to Openfire here. I’m working on a new 3.10.0 alpha installation. I chose the alpha because apparently 3.9.3 won’t work with SparkWeb. I tried the 3.9.3 nightly, but failed. Anyway, Sparkweb is working great, authenticates just fine. However, Spark 2.6.3 clients won’t connect, and say Invalid Username or Password. If I go to advanced, check “Use old SSL port method” it connects just fine. This solution isn’t preferable, as I don’t want my users to have to go through the extra step. I suspect I have a problem in my Openfire config, which is by most respects at all defaults except for my LDAP AD config which is also working. Any help would be appreciated!
Old SSL uses 5223 port. Maybe you have only this port open in your firewall on the server with Openfire? Try opening 5222 port or disable firewall temporarily.
wroot,
Thanks for the response. My windows server (2012 R2) has it’s firewall off for the time being while I’m troubleshooting. I can use telnet to verify that both 5222 and 5223 are listening. FYI, under Server > Server Settings > Client Connections > Client Ports: Client port is set to 5222, and Client SSL port is set to 5223. Perhaps there is some setting in openfire that is prohibiting SSL on 5222 which is the “new method”? Spark hangs for about 30 seconds at Authenticating, then says invalid username or password. Where do I go from here? Thanks again.
There is no such setting. 5222 is the current main port for both nonSSL and SSL connections. 5223 will be deprecated at some point. You can check security settings on your server (Admin Console > Server Settings > Security Settings). What setting is on for the client connections? You can disable Old SSL there and set TLS to required. Clients will use server’s self-signed certificates, unless you have installed other ones.
Also in Spark Advanced settings check if “Automatically discover host and port” is checked. It should be by default, and it should have 5222 port in there.
Awesome, thanks for your help. The setting: Client Connection Security was set to the default, Optional. If I changed to required, the same problem exists. I changed to custom, and the only setting that seemed to have an effect is TLS method Not Available. It works as expected under this setting. Setting TLS to Optional or Required would not allow Spark to connect with default settings. Am I losing a great deal of security benefits turning off TLS? The connection will still be SSL secured using self-signed certificates, right? Thanks!
I’m afraid you are not. You can check this by looking at he bottom of the Spark or at the Sessions page in Admin Console, there should be a yellow padlock icon, meaning the connection is encrypted. Also, using TLS is better in the light of recent SSL vulnerabilities discovered by Google (POODLE). I have it on Custom, Old SSL disabled and TLS required.
This is a weird issue. You can’t connect with encrypted session. I think i have seen something like this (very long login process when using SSL), but i can’t remember exactly and what was the cause.
Check the Server Settings > Server Certificates and make sure you do have certificates in there. Even if you have, try deleting them and generate new ones.
Also, do you have Automatic discovery of a host and port checked in Spark’s Advanced Login settings?
I tried deleting and generating new certificates, but it didn’t help. This must be a weird issue with 3.10.0 Alpha. Yes, spark’s default setting of automatic discovery is set. I decided that I’ve spent too much time troubleshooting, so I’ve gone with this solution: Downgrade to 3.9.1, set TLS to optional. Spark client connects with TSL and gets a lock at the bottom, and Sparkweb connects unencrypted, which I figure is not a problem since sparkweb and openfire server are on the same machine. Thanks again for your help.
Well, i’m using latest 3.10.0 build on my test machine too. But i’m using Spark 2.7.0 latest build. Though this shouldn’t matter, but still (http://bamboo.igniterealtime.org/artifact/SPARK-INSTALL4J/shared/build-668/Insta ll4j/spark_2_7_0_668.exe )
Oh, SSL/TLS with SparkWeb is tricky. I have tried to find out how it works many years ago, but i’m still not sure. Have tried to compile a howto for it, but it is now old and some files may be not available anymore SparkWeb HOW-TO
It says, that even if you have SparkWeb on a https site, it is still a client side flash application and once it is downloaded by a browser, then it connects to Openfire server, but not via SSL. The only SSL version by this howto is the Red5 SparkWeb (which uses Old SSL). But it will involve even more testing