Hi,
it seems that it was a big mistake to upgrade to 3.7.0. SSL is no longer working reliably. In my desperation , after reading around I’ve upgraded to 3.7.1 from the nightly builds. I’ve still problems with other servers. I’ve activated debug logging and got:
2011.05.03 10:45:48 org.jivesoftware.openfire.session.LocalOutgoingServerSession - LocalOutgoingServerSession: OS - Trying to connect to remote-server.de:5269(DNS lookup: remote-server.de:5269)
2011.05.03 10:45:48 org.jivesoftware.openfire.session.LocalOutgoingServerSession - LocalOutgoingServerSession: OS - Plain connection to remote-server.de:5269 successful
2011.05.03 10:45:48 org.jivesoftware.openfire.session.LocalOutgoingServerSession['remote-server.de'] - Indicating we want TLS to remote-server.de
2011.05.03 10:45:48 org.jivesoftware.openfire.session.LocalOutgoingServerSession['remote-server.de'] - Negotiating TLS...
2011.05.03 10:45:48 org.jivesoftware.openfire.session.LocalOutgoingServerSession - LocalOutgoingServerSession: Handshake error while creating secured outgoing session to remote server: remote-server.de(DNS lookup: remote-server.de:5269)
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:1015)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:480)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1120)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1092)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:452)
at org.jivesoftware.openfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.java:274)
at org.jivesoftware.openfire.net.TLSStreamHandler.start(TLSStreamHandler.java:168)
at org.jivesoftware.openfire.net.SocketConnection.startTLS(SocketConnection.java:182)
at org.jivesoftware.openfire.session.LocalOutgoingServerSession.secureAndAuthenticate(LocalOutgoingServerSession.java:421)
at org.jivesoftware.openfire.session.LocalOutgoingServerSession.createOutgoingSession(LocalOutgoingServerSession.java:334)
at org.jivesoftware.openfire.session.LocalOutgoingServerSession.authenticateDomain(LocalOutgoingServerSession.java:167)
at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.sendPacket(OutgoingSessionPromise.java:261)
at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.run(OutgoingSessionPromise.java:238)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:662)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1490)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:243)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1206)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:136)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:533)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.java:952)
at org.jivesoftware.openfire.net.TLSStreamHandler.doTasks(TLSStreamHandler.java:325)
at org.jivesoftware.openfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.java:235)
... 10 more
Caused by: java.security.cert.CertificateException: target verification failed of [ejabberd]
at org.jivesoftware.openfire.net.ServerTrustManager.checkServerTrusted(ServerTrustManager.java:180)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1198)
... 17 more
The output above is generated with the following options active:
xmpp.server.certificate.accept-selfsigned true
xmpp.server.dialback.enabled false
xmpp.server.tls.enabled true
xmpp.socket.ssl.active true
When I enable “dialback” it also does not work but the debug (and warn) output differs a bit and looks like this:
2011.05.03 11:04:11 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Trying to connect to remote-server.de:5269(DNS lookup: remote-server.de:5269)
2011.05.03 11:04:11 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Connection to remote-server.de:5269 successful ==> warn.log <==
2011.05.03 11:04:11 org.jivesoftware.openfire.net.ServerTrustManager - Accepting self-signed certificate of remote server: [ejabberd] ==> debug.log <==
2011.05.03 11:04:11 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Sent dialback key to host: remote-server.de id: 284774564 from domain: mhc.im
2011.05.03 11:04:11 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Unexpected answer in validation from: remote-server.de id: 284774564 for domain: mhc.im answer:<stream:features xmlns:stream="http://etherx.jabber.org/streams"><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/></stream:features>
2011.05.03 11:04:11 org.jivesoftware.openfire.server.OutgoingServerSocketReader - OutgoingServerSocketReader: Finishing Outgoing Server Reader. No session to close.
java.net.SocketException: Socket closed
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.read(SocketInputStream.java:129)
at org.jivesoftware.openfire.net.ServerTrafficCounter$InputStreamWrapper.read(ServerTrafficCounter.java:221)
at sun.nio.cs.StreamDecoder.readBytes(StreamDecoder.java:264)
at sun.nio.cs.StreamDecoder.implRead(StreamDecoder.java:306)
at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:158)
at java.io.InputStreamReader.read(InputStreamReader.java:167)
at org.xmlpull.mxp1.MXParser.fillBuf(MXParser.java:2992)
at org.xmlpull.mxp1.MXParser.more(MXParser.java:3046)
at org.jivesoftware.openfire.net.MXParser.more(MXParser.java:373)
at org.jivesoftware.openfire.net.MXParser.nextImpl(MXParser.java:85)
at org.xmlpull.mxp1.MXParser.nextToken(MXParser.java:1100)
at org.dom4j.io.XMPPPacketReader.parseDocument(XMPPPacketReader.java:317)
at org.jivesoftware.openfire.server.OutgoingServerSocketReader$1.run(OutgoingServerSocketReader.java:105)
I use a CA signed certificate. Well, OpenFire complains about “One or more certificates are missing.” but does not tell me which and why. How can I find this out ?
Can some one please help ? I don’t like the idea to be forced to switch to ejabberd with 3.6 every thing worked, now it’s broken … is there a way to downgrade in a Linux-deb setup ?
TIA
Matthias