I’ve recently been working on getting a CA signed certificate installed in Openfire, requested through XMPP.net and it seems to “partially” work, but still keeps giving issues apparently.
What I mean with “partially” is the fact that the certificate is accepted as CA signed and installed properly in the keystore, the web admin interface successfully negotiates SSL, and presents a verified certificate in my browser. The client connection on 5223 also works without errors (nothing in the logs apart from regular authentication realm information in debug.log). What doesn’t seem to work as it should is s2s connections, which uses a fallback (if I understood correctly) to server dialback in most cases, and the hostname in openfire is not accepted as valid (error is displayed for AltName). Some log excerpts below:
Outgoing server connection (debug log):
2008.05.12 06:12:38 LocalOutgoingServerSession: OS - Trying to connect to jabber.org:5269(DNS lookup: jabber.org:5269)
2008.05.12 06:12:39 LocalOutgoingServerSession: OS - Plain connection to jabber.org:5269 successful 2008.05.12 06:12:39 LocalOutgoingServerSession: OS - Indicating we want TLS to jabber.org 2008.05.12 06:12:40 LocalOutgoingServerSession: OS - Negotiating TLS with jabber.org* 2008.05.12 06:12:40
CertificateManager: SubjectAltName of invalid type found:
EMAILADDRESS=hostmaster@jabber.org, CN=jabber.org, CN=*.jabber.org,
OU=Domain validated only, O=XMPP Standards Foundation, L=Denver,
ST=Colorado, C=US*
-
2008.05.12 06:12:40
CertificateManager: SubjectAltName of invalid type found:
EMAILADDRESS=hostmaster@jabber.org, CN=jabber.org, CN=*.jabber.org,
OU=Domain validated only, O=XMPP Standards Foundation, L=Denver,
ST=Colorado, C=US*
2008.05.12 06:12:43 LocalOutgoingServerSession: OS - TLS negotiation with jabber.org was successful 2008.05.12 06:12:45 LocalOutgoingServerSession: OS - Error, no SASL mechanisms were offered by jabber.org 2008.05.12 06:12:45 LocalOutgoingServerSession: OS - Going to try connecting using server dialback with: jabber.org 2008.05.12 06:12:45 ServerDialback: OS - Trying to connect to jabber.org:5269(DNS lookup: jabber.org:5269) 2008.05.12 06:12:55 ServerDialback: OS - Connection to jabber.org:5269 successful 2008.05.12 06:12:55 ServerDialback: OS - Sent dialback key to host: jabber.org id: 3409094653 from domain: jabber.wolfbeast.com 2008.05.12 06:12:59 Connect Socket[http://addr=/208.68.163.214,port=39719,localport=5269
http://addr=/208.68.163.214,port=39719,localport=5269] 2008.05.12 06:13:02 ServerDialback: RS - Received dialback key from host: jabber.org to: jabber.wolfbeast.com 2008.05.12 06:13:02 ServerDialback: RS - Trying to connect to Authoritative Server: jabber.org:5269(DNS lookup: jabber.org:5269) 2008.05.12 06:13:06 ServerDialback: RS - Connection to AS: jabber.org:5269 successful 2008.05.12 06:13:06 ServerDialback: RS - Asking AS to verify dialback key for id6d7daf8c 2008.05.12 06:13:07 ServerDialback: RS - Key was VERIFIED by the Authoritative Server for: jabber.org 2008.05.12 06:13:07 ServerDialback: RS - Closing connection to Authoritative Server: jabber.org 2008.05.12 06:13:07 ServerDialback: RS - Sending key verification result to OS: jabber.org 2008.05.12 06:13:07 ServerDialback: AS - Verifying key for host: jabber.org id: 3409094653 2008.05.12 06:13:07 ServerDialback: AS - Key was: VALID for host: jabber.org id: 3409094653 2008.05.12 06:13:14 ServerDialback: OS - Validation GRANTED from: jabber.org id: 3409094653 for domain: jabber.wolfbeast.com
I get the same SubjectAltName error on my own certificate that was supplied by XMPP in the same way.
Incoming server connection (error log):
2008.05.12 01:00:48 [org.jivesoftware.openfire.net.SocketReadingMode.negotiateTLS(SocketReadingMode .java:77)
]Error while negotiating TLS:
org.jivesoftware.openfire.net.SocketConnection@c5294d socket:
Socket[http://addr=/194.109.23.90,port=56318,localport=5269
http://addr=/194.109.23.90,port=56318,localport=5269] session:
org.jivesoftware.openfire.session.LocalIncomingServerSession@1066 d88
status: 1 address: jabber.wolfbeast.com/c3fd3030 id: c3fd3030
javax.net.ssl.SSLException: Unsupported record version Unknown-47.115
at com.sun.net.ssl.internal.ssl.EngineInputRecord.bytesInCompletePacket(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(Unknown Source) at javax.net.ssl.SSLEngine.unwrap(Unknown Source) at org.jivesoftware.openfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.jav a:212) at org.jivesoftware.openfire.net.TLSStreamHandler.start(TLSStreamHandler.java:158) at org.jivesoftware.openfire.net.SocketConnection.startTLS(SocketConnection.java:1 66) at org.jivesoftware.openfire.net.SocketReadingMode.negotiateTLS(SocketReadingMode. java:74) at org.jivesoftware.openfire.net.BlockingReadingMode.readStream(BlockingReadingMod e.java:127) at org.jivesoftware.openfire.net.BlockingReadingMode.run(BlockingReadingMode.java: 63) at org.jivesoftware.openfire.net.SocketReader.run(SocketReader.java:120) at java.lang.Thread.run(Unknown Source)
debug log for the same:
2008.05.12 01:00:48 Connect Socket[http://addr=/194.109.23.90,port=56318,localport=5269
http://addr=/194.109.23.90,port=56318,localport=5269]
2008.05.12 01:00:49 Connect Socket[http://addr=/194.109.23.90,port=59780,localport=5269
http://addr=/194.109.23.90,port=59780,localport=5269] 2008.05.12 01:00:49 ServerDialback: RS - Received dialback key from host: jabber.xs4all.nl to: jabber.wolfbeast.com 2008.05.12 01:00:49 ServerDialback: RS - Trying to connect to Authoritative Server: jabber.xs4all.nl:5269(DNS lookup: jabber.xs4all.nl:5269) 2008.05.12 01:00:49 ServerDialback: RS - Connection to AS: jabber.xs4all.nl:5269 successful 2008.05.12 01:00:49 ServerDialback: RS - Asking AS to verify dialback key for id88391ee6 2008.05.12 01:00:49 ServerDialback: RS - Key was VERIFIED by the Authoritative Server for: jabber.xs4all.nl 2008.05.12 01:00:49 ServerDialback: RS - Closing connection to Authoritative Server: jabber.xs4all.nl 2008.05.12 01:00:49 ServerDialback: RS - Sending key verification result to OS: jabber.xs4all.nl 2008.05.12 01:00:49
001077 (01/03/00) - #3 registered a statement as closed which wasn’t
known to be open. This could happen if you close a statement twice. 2008.05.12 01:00:49 Connection closed before session established
Socket[http://addr=/194.109.23.90,port=56318,localport=5269
http://addr=/194.109.23.90,port=56318,localport=5269] 2008.05.12 01:11:23
Logging off jabber.xs4all.nl on
org.jivesoftware.openfire.net.SocketConnection@1011f1f socket:
Socket[http://addr=/194.109.23.90,port=59780,localport=5269
http://addr=/194.109.23.90,port=59780,localport=5269] session:
org.jivesoftware.openfire.session.LocalIncomingServerSession@122f 17b
status: 1 address: jabber.xs4all.nl id: 88391ee6
I’m not sure if the incoming server connection error is a problem my end or a problem at xs4all. And I’m not a java programmer so I have no clue about most of these statements here…
Some help appreciated!
Mark.