TLS Issue with S2S

Gelo · February 4, 2014, 9:06am

Trying to establish server to serverr connection between our two openfire servers (from servera to serverb).

Notes:

Port 5269 is open between the two servers
Server to Server service enabled on both servers (Server -> Server Settings -> Server to Server)
Server names resolvable via DNS
Server Connection Security set to OPTIONAL on both servers

Below are the entries generated from the debug log viewer when trying to establish connection from a user in servera to another user in serverb. Issue appears to be related to TLS but this is strange since the Server Connection Security value is set to OPTIONAL.

014.02.04 16:55:10 000785 (01/05/00) - Connection #66 tested: OK

2014.02.04 16:55:10 000786 (01/05/00) - Connection #66 tested: OK

2014.02.04 16:55:10 000786 (01/05/00) - Connection #62 tested: OK

2014.02.04 16:55:10 000787 (01/05/00) - Connection #62 tested: OK

2014.02.04 16:55:22 000787 (01/05/00) - Connection #63 tested: OK

2014.02.04 16:55:22 000788 (01/05/00) - Connection #63 tested: OK

2014.02.04 16:55:24 LocalOutgoingServerSession: OS - Trying to connect to serverb:5269(DNS lookup: serverb:5269)

2014.02.04 16:55:24 LocalOutgoingServerSession: OS - Plain connection to serverb:5269 successful

2014.02.04 16:55:24 LocalOutgoingServerSession: OS - Indicating we want TLS to serverb

2014.02.04 16:55:24 LocalOutgoingServerSession: OS - Negotiating TLS with serverb

2014.02.04 16:55:24 LocalOutgoingServerSession: Handshake error while creating secured outgoing session to remote server: serverb(DNS lookup: serverb:5269)

javax.net.ssl.SSLHandshakeException: General SSLEngine problem

at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Handshaker.java:1015)

at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:4 80)

at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:11 20)

at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1092)

at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:452)

at org.jivesoftware.openfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.jav a:266)

at org.jivesoftware.openfire.net.TLSStreamHandler.start(TLSStreamHandler.java:160)

at org.jivesoftware.openfire.net.SocketConnection.startTLS(SocketConnection.java:1 69)

at org.jivesoftware.openfire.session.LocalOutgoingServerSession.secureAndAuthentic ate(LocalOutgoingServerSession.java:391)

at org.jivesoftware.openfire.session.LocalOutgoingServerSession.createOutgoingSess ion(LocalOutgoingServerSession.java:305)

at org.jivesoftware.openfire.session.LocalOutgoingServerSession.authenticateDomain (LocalOutgoingServerSession.java:144)

at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.sendPa cket(OutgoingSessionPromise.java:239)

at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.run(Ou tgoingSessionPromise.java:216)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java: 886)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)

at java.lang.Thread.run(Thread.java:662)

Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)

at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1490)

at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:243)

at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)

at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshake r.java:1206)

at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.j ava:136)

at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)

at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Handshaker.java:533)

at java.security.AccessController.doPrivileged(Native Method)

at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Handshaker.java:952)

at org.jivesoftware.openfire.net.TLSStreamHandler.doTasks(TLSStreamHandler.java:31 7)

at org.jivesoftware.openfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.jav a:227)

… 10 more

Caused by: java.security.cert.CertificateException: root certificate not trusted of [*.serverb]

at org.jivesoftware.openfire.net.ServerTrustManager.checkServerTrusted(ServerTrust Manager.java:143)

at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshake r.java:1198)

… 17 more

2014.02.04 16:55:24 LocalOutgoingServerSession: OS - Going to try connecting using server dialback with: serverb

Gelo · February 4, 2014, 9:24am

Observed that the xmpp.server.tls.enabled system property on both servers has a value of ‘true’. Is this supposed to be the case given that the server connection security value is set to OPTIONAL (and not REQUIRED)? When we changed the xmpp.server.tls.enabled property to false on both servers, we were still not able to establish connection between the two servers although the message in the log viewer debug viewer changed (see below):

014.02.04 17:21:39 000795 (01/05/00) - Connection #66 tested: OK

2014.02.04 17:21:39 000796 (01/05/00) - Connection #66 tested: OK

2014.02.04 17:21:39 Set parameter http.connection.timeout = 3000

2014.02.04 17:21:39 Set parameter http.socket.timeout = 3000

2014.02.04 17:21:49 LocalOutgoingServerSession: OS - Trying to connect to serverb:5269(DNS lookup: serverb:5269)

2014.02.04 17:21:49 LocalOutgoingServerSession: OS - Plain connection to serverb:5269 successful

2014.02.04 17:21:49 LocalOutgoingServerSession: OS - About to try connecting using server dialback XMPP 1.0 with: serverb

2014.02.04 17:21:49 ServerDialback: OS - Sent dialback key to host: serverb id: c013daff from domain: servera

2014.02.04 17:21:49 Open connection to www.igniterealtime.org:80

2014.02.04 17:21:52 Closing the connection.

2014.02.04 17:21:52 Method retry handler returned false. Automatic recovery will not be attempted

2014.02.04 17:21:52 Releasing connection back to connection manager.