SSL Shut Down By Server? Connects fail on all ports?

Openfire Openfire Support
1

Hi All,

I am running Jive Messenger 2.1.3 on Win2K3 Server with a MySQL 4.1 backend. I initially configured the server. Everything worked out great. I was able to connect over SSL and Non-SSL connections from a remote machine.

I then changed the SYSTEM PROPERTIES as per this link:

http://www.jivesoftware.org/forums/thread.jspa?threadID=13871

The line, which was there in 2.1.2, was no longer there, so I then added the following line to the SYSTEM PROPERTIES box:

xmpp.socket.plain.active = false

This should have disabled non-SSL connections. I also changed the jabber domain to jabberd.misti.com

Now, users cannot connect to the server from remote machines, even on port 5222. However, a client running on the Jive Server machine can connect using port 5222 and the FQDN of jabberd.misti.com.

In a second post I will place in some items from the logs.

Any ideas?

Thanks!!!

Ken

2

Ken,

If you disable the plain port (5222), your users will need to use the SSL port (5223) to connect to your server. What client are you using? There should be an option to use the “old-style” dedicated XMPP port for SSL on 5223.

Regards,

Matt

3

Here is some server connection info in regards to the SSL error:

ERROR WINDOW

==========================================

Could not setup SSL socket

javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.

at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(Unknown Source)

at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(Unknown Source)

at org.jivesoftware.messenger.net.SSLSocketAcceptThread.run(SSLSocketAcceptThread. java:127)

2005.05.25 11:34:17 [org.jivesoftware.messenger.net.SSLSocketAcceptThread.run(SSLSocketAcceptThread .java:150)

] Shutting down SSL port - suspected configuration problem

INFO WINDOW:

===============================================

2005.05.25 11:32:15 Jive Messenger stopped

2005.05.25 11:32:15 Server halted

2005.05.25 11:34:12 Started plain (unencrypted) socket on port: 5222

2005.05.25 11:34:16 Started SSL (encrypted) socket on port: 5223

2005.05.25 11:34:16 Multi User Chat domain: conference.jabberd.misti.com

2005.05.25 11:34:16 Jive Messenger 2.1.3 Started

2005.05.25 11:34:17 Shutting down SSL port - suspected configuration problem

2005.05.25 11:34:31 Admin console listening at:

http://jabberd.misti.com:9090

https://jabberd.misti.com:9091

4

Hi Matt,

We are using Pandion. It worked fine in that SSL configuration with a test server we created with version 2.1.2.

However, we can’‘t connect at all, and from the SSL Cert info shown, it doesn’'t even look like it is reading the cert correctly. The cert was generated by CACERT.org.

Thanks for the help!!! I do appreciated it. Any ideas?

  • Ken
5

OK, this is strange. The Windows Firewall/ICS Sharing service was not active on the server. Meaning the Windows Firewall was OFF. I turned it on, then set the Windows Firewall to OFF. I can now connect on non-SSL connections.

PS - I removed the xmpp line that would restrict connections to only SSL (That was before I did the firewall change)

6

My posts may have confused some readers. I am still unable to connect with SSL at all. The server thinks it sees a problem and shuts down SSL but the server continues to run for non-SSL connections.

I attempted to remove the SSL Certificate and reinstall it. The certificate installed, but the server still cannot run SSL. This is very frustrating. The information in the above log entries are still valid. Can anyone help?

Thanks!!!

  • Ken
7

Hey Ken,

Check out this url=http://www.jivesoftware.org/forums/thread.jspa?messageID=98454#98454other thread[/url] where many solutions are being mentioned. Let us know how it goes.

Regards,

– Gato

8

We’‘ve seen a lot of users run into this by now. I’‘m thinking maybe it’‘s time to add a tidbit to the SSL guide doc about keytool’'s inability to import private keys.

9

I personally know very little about the keytool stuff. Anybody willing to step up to the plate? Another great feature would be the ability to generate a self-signed cert for the proper server name from inside of the admin console.

Thanks,

Matt

10

Now, when I first imported the cert from CACert.org, the server worked without any problem. It wasn’'t until I tried to only allow SSL connections did this start.This is very interesting.

I do not use Keytool, so I am not sure about that. I did try to use OpenSSL to create my own self signed SSL Cert but that wouldn’‘t load into Jive’'s Admin Interface. I could try this again. Does anyone have the exact commands to do this for it to work with Jive. I will add another post with what I used.

I generated the Cert request with OpenSSL using the following instructions:

*+# openssl req -nodes -new -keyout private.key -out server.csr

Then the system will try to generate some very random numbers to get a secure key.

Generating a 1024 bit RSA private key

…++++++

…++++++

writing new private key to ‘‘private.key’’

You will then be asked to enter information about your company into the certificate. Below is a valid example:

Country Name (2 letter code) :AU

State or Province Name (full name) :NSW

Locality Name (eg, city) :Sydney

Organization Name (eg, company) :CAcert Inc.

Organizational Unit Name (eg, section) :.

Common Name (eg, YOUR name) []:www.cacert.org

Email Address []:no-returns@cacert.org

Finally you will be asked information about ‘‘extra’’ attribute, you simply hit enter to both these questions.

Next step is that you submit the contents of server.csr to the CAcert website, it should look EXACTLY like the following example otherwise the server may reject your request because it appears to be invalid.

BEGIN CERTIFICATE REQUEST-----

MIIBezCB5QIBADA8MRcwFQYDVQQDEw53d3cuY2FjZXJ0Lm9yZzEhMB8GCSqGSIb3

DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB

iQKBgQDQd1ut4TJLWZf5A9r3D17KobCNwz/jfCOYrH0P6q1uw4jfSyrWUeSaVc

59Xjpov8gRctlAuWM9KavkLSF6vcNdDEbvUYnL/+ixdmVE9tlXuSFEGz0GAF5faf

QZe30wk2hnC6PrwclypOhkTXtWgvSHPZg9Cos8xqDyv589QwIDAQABoAAwDQYJ

KoZIhvcNAQEEBQADgYEAJruzBZr4inqaeidn1m2q47lXZUWjgsrp3k3bFJ/HCb3S

2SgVqHFrOisItrr7H0Dw2EcPhIrRokRdjIAwwlxG9v21eFaksZUiaP5Yrmf89Njk

HV+MZXxbC71NIKrnZsDhHibZslICh/XjdPP7zfKMlHuaaz1oVAmu9BlsS6ZXkVA=

END CERTIFICATE REQUEST-----

Once you’'ve submitted it the system will process your request and send an email back to you containing your server certificate.+*

11

I am getting very frustrated with the SSL setting. To the point I am about to give up. I just made a SSL cert with OpenSSL following the directions here:

http://jabberd.jabberstudio.org/2/docs/app_sslkey.html

I get the same error as before:

*2005.06.01 12:21:58 Server halted

2005.06.01 12:23:49 Started plain (unencrypted) socket on port: 5222

2005.06.01 12:23:54 Started SSL (encrypted) socket on port: 5223

2005.06.01 12:23:54 Multi User Chat domain: conference.jabberd.misti.com

2005.06.01 12:23:55 Shutting down SSL port - suspected configuration problem

2005.06.01 12:23:55 Jive Messenger 2.1.3 Started

2005.06.01 12:24:11 Admin console listening at:

http://jabberd.misti.com:9090

https://jabberd.misti.com:9091*

What configuration can I adjust? Is there anything I can set? Does my MySQL database have ANYTHING to do with this? I have never had such a hard time using a self-signed cert.

Should I wipe my MySQL database, wipe my Jive Install and start over? Please tell me that isn’'t it.

Please help.

Here is something f

Message was edited by:

kwermann

I found this as well in the system log:

12:39:53.341 WARN!! [Acceptor [SSL: ServerSocket[addr=0.0.0.0/0.0.0.0,port=0,localport=9091]]] org.mortbay.util.ThreadedServer.acceptSocket(ThreadedServer.java:449) >02> EXCEPTION

javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.

at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.checkEnabledSuites(Unknown Source)

at com.sun.net.ssl.internal.ssl.SSLServerSocketImpl.accept(Unknown Source)

at org.mortbay.util.ThreadedServer.acceptSocket(ThreadedServer.java:423)

at org.mortbay.util.ThreadedServer$Acceptor.run(ThreadedServer.java:608)

12

How are you importing the certificate into the keystore? Are you using keyman? I found this other link that may be of some help. http://mark.foster.cc/kb/openssl-keytool.html

Regards,

– GAto

13

OK, that is interesting. It leads me to a question though. Does Jive server not use the same type of SSL Certificate that JabberD server users? I am confused as to what it would need to be converted to?

Jive seems to accept the SSL cert without any problem in the admin interface. From the article you mention, and the steps I used to create the cert from JabberD’'s website, what exactly am I looking to do from that article, and why. I would like to understand this a bit more.

14

OK, I’'ll attempt to explain this.

Does Jive server not use the same type of SSL Certificate that JabberD server users?

It does. An SSL cert is an SSL cert. The difference here is that the Java SSL framework packs the certs into a special little blob called a “keystore,” whereas with most other SSL-enabled services (Apache, jabberd, etc.) they just parse a text file or two.

Jive seems to accept the SSL cert without any problem in the admin interface.

The problem that everybody keeps running into has to do with “keytool,” which is the Java-included program for manipulating these keystore files. Recall that SSL certs are based on public key crypto, and so, a single cert (a.k.a. public key) is not enough by itself… you also need to provide the matching private key. Unfortunately, keytool gives us no way to import private keys. You can import as many certs (a.k.a. public keys) as you like, but they’'re all useless in the keystore because they will always be missing their other half.

So, your choices are as follows:

  1. Use keytool to generate the keypair. Yay, happy, everything plays nice.

  2. Use OpenSSL to generate the keypair. Use the IBM Keyman utility to import the keypair into a new Java keystore.

Note that the link two posts back has been floated before, and my take on it is that the other options listed are either defunct or a serious PITA (comparatively).

Tip: If you’'re using self-signed certs, you might as well just use the keytool. The only reason to bother with the OpenSSL method is if you already have a cert that you rely on, whether because you paid for it, or because you want the same cert for various other pre-existing services.

Does that all make sense?

15

OK, that makes alot of sense. Thank you for breaking this down. From what you wrote, it looks like the easiest way to do this is to use keytool. Sounds good.

This leads me to my next question. Where do I actually download and install keytool from?

Some quick Google searches lead me to instructions on it’'s use, some references lead me to the Java SDK.

I finally feel like I am getting somewhere.

16

The keytool is already in the Jive distribution, included with the JRE. From the SSL doc:

“The Sun JDK (version 1.5.x) ships with all the security tools you need to configure SSL with Jive Messenger. The most important is the keytool located in the JAVA_HOME/bin directory of the JDK.”

So get cmd.exe going and love the CLI.

17

OK, I used my SSL Key created in OpenSSL by importing it into the keytool SSL Store. I am really confused now. The server gives alot of errors at start and disables SSL. Here is what I get in terms of errors:

  • at org.jivesoftware.messenger.container.AdminConsolePlugin.initializePlugin(AdminC onsolePlugin.java:146)

at org.jivesoftware.messenger.container.PluginManager.loadPlugin(PluginManager.jav a:179)

at org.jivesoftware.messenger.container.PluginManager.access$300(PluginManager.jav a:57)

at org.jivesoftware.messenger.container.PluginManager$PluginMonitor.run(PluginMana ger.java:408)*

Now, what else is strange is that if I try to view SSL setting in the Admin Control Panel I ger a blank page.

18

OK, I used my SSL Key created in OpenSSL by importing it into the keytool SSL Store.

What mechanism did you use to do this?

Do you have both the private key and the certificate imported?