TLS issue after upgrade openfire 4.2.3

Hello there,
I’m trying to upgrade my openfire installation from version 4.2.3, however after the upgrade (tried both version 4.3.2 and 4.4.0) I’m unable to connect to the SSL port as the upgraded openfire enables only TLS v1.2
The configuration shows that the supported version should include TLS v1.1 and TSLv1, but they are not enabled and older devices/browsers cannot connect. For example Chrome Browser shows error: “ERR_SSL_VERSION_OR_CIPHER_MISMATCH”
The configured properties are:
xmpp.socket.ssl.client.protocols SSLv2Hello,SSLv3,TLSv1,TLSv1.1,TLSv1.2
xmpp.socket.ssl.protocols SSLv2Hello,TLSv1,TLSv1.1,TLSv1.2
I have tried different configurations but none was working.
I’m checking the enabled Ciphers via https://www.ssllabs.com/ssltest/analyze.html

Same problem here. Started after 4.4.0 upgrade.

I don’t think the Administrative Console HTTPS Port (9091) uses the protocol settings found with xmpp.socket.ssl.protocols

Strangely enough it seems to work ok if I connect to it on the server using https://localhost:9091 but if I use server.domain.com:9091, which resolves to the same IP, it bombs out with the cipher mismatch error. Very strange.

I have not tested the admin port 9091, only the port for xmpp clients 7443

Do you use OpenJDK 11? Sounds related JDK11 TLS Admin Page provides old ssl encryption, prohibits access

No. Originally I was using Oracle Java 8 but some older version e.g. 1.8.0.181. After the problem I had changed to latest 1.8 OpenJDK available in the Debian repo.

I’m using the included JRE on Windows x64 which shows as 1.8.0_202 Oracle Corporation – Java HotSpot™ 64-Bit Server VM

Whatever it is, its new to 4.4.0, it works fined for years before this version.

Bill, were you using 4.3.2 or some older version before updating to 4.4.0?

I’m using 4.2.3 (I’m having the issue both with 4.4.0 and 4.3.2)

I have fixed my issues by deleting the following system properties:
xmpp.socket.ssl.ciphersuites
xmpp.socket.ssl.client.ciphersuites
Seems like these existed in some of the older versions. Looks like some of the old properties are not used in the newer versions and they are creating conflicts.

1 Like

I had exact same issue. Suggested solution did not work for me. After a lot of trial and error I found the culprit.
When a newer version is installed and server is restarted, Openfire for some reason generates self-signed certificate in Certificate Identity Store. This certificate was sitting right next to my certificate (which uses wildcard for domain). After the self-signed certificate was removed, connection to the secure port could be established.

Thank you for reporting the workaround. I have filed this https://issues.igniterealtime.org/browse/OF-1812

Can you elaborate please? Did you have a certificate that was valid for *.example.org only? Note that strictly speaking, such a certificate is not valid for example.org (unless alternative names are added to the certificate). Can you give an exact example of what XMPP domain you used, and what domain names / SANs were in the certificate?

This ended up being my problem too, except in my case it was two automatically self-signed certs. After deleting the DSA version the error went away.