Unable to connect with Trillian Astra (OldSchool Version) After Update

Brut · March 5, 2024, 5:09pm

Hello,

I am using on my windows notebooks Trillian Astra (OldSchool build beta 104 from the year 2009 ) and after the update of OpenFire server to 4.8.0, I am unable to connect to openfire server using jabber plugin, its tested on all devices and the same behavior is on 4.8.1. There is something bugged in the new version. What did u change, how to make it again compatible and working?

I made a pack of my version of Trillian, so u can test http://astra.BRUT.me

Hope it is just something simple o.O

guus · March 5, 2024, 6:53pm

Sorry to hear this. I don’t want to spend the time debugging an ancient application, when there are a gazillion other things to do, sorry. If you can provide specific error messages, or possibly even an XMPP stream between the server and affected client, that could help to narrow down the problem. What was the previous version of Openfire that you used (where this client was still working)?

Brut · March 5, 2024, 7:17pm

I understand, It was the last version before - 4.7.5, so one of the changes in 4.8.0 did this, wil try to check but I dunno how to get the stream, the error message is just

Connection to JABBER has failed: system errorcode “0”.
*** You have been disconnected.

guus · March 5, 2024, 7:33pm

That sadly doesn’t say much. You could try to enable trace logging in Openfire, hoping that it logs something useful. Chances are that you need the client logs though.

Brut · March 5, 2024, 7:58pm

can this help?

2024.03.05 20:56:11.487 e[1;31mERRORe[m [socket_c2s-thread-8]: org.jivesoftware.openfire.nio.NettyConnection - Problem during connection close or cleanup
javax.net.ssl.SSLHandshakeException: Client requested protocol TLSv1 is not enabled or supported in server context
	at sun.security.ssl.Alert.createSSLException(Alert.java:130) ~[?:?]
	at sun.security.ssl.Alert.createSSLException(Alert.java:117) ~[?:?]
	at sun.security.ssl.TransportContext.fatal(TransportContext.java:365) ~[?:?]
	at sun.security.ssl.TransportContext.fatal(TransportContext.java:321) ~[?:?]
	at sun.security.ssl.TransportContext.fatal(TransportContext.java:312) ~[?:?]
	at sun.security.ssl.ClientHello$ClientHelloConsumer.negotiateProtocol(ClientHello.java:870) ~[?:?]
	at sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:822) ~[?:?]
	at sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:800) ~[?:?]
	at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393) ~[?:?]
	at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476) ~[?:?]
	at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1273) ~[?:?]
	at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1260) ~[?:?]
	at java.security.AccessController.doPrivileged(AccessController.java:714) ~[?:?]
	at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1205) ~[?:?]
	at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1647) ~[netty-handler-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1493) ~[netty-handler-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1334) ~[netty-handler-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1383) ~[netty-handler-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:529) ~[netty-codec-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468) ~[netty-codec-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290) ~[netty-codec-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:724) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:650) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997) ~[netty-common-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) ~[netty-common-4.1.100.Final.jar:4.1.100.Final]
	at java.lang.Thread.run(Thread.java:1583) [?:?]

guus · March 5, 2024, 8:05pm

Ah, yes.

Your client depends on an old version of TLS. It is likely disabled - or possibly not even available - in your updated instance of Openfire.

With a bit of luck, you can enable this in the Openfire admin console. Go to Server > Server Settings > Client Connections and click on the “Advanced Configuration” link, as shown below.

On that page, ensure that the TLSv1 encryption protocol is enabled, and click “Save Settings”.

If this encryption protocol is not listed, then you need to apply configuration changes to the version of Java that you installed. I think that’s documented here.

Brut · March 5, 2024, 8:20pm

ah looks like that is the change, I have it available and checked and still not connecting, did u make changes to the TLS or is it because of the java as You now does not have it with the server I had to install it from adoptium, why did u decided this way?

guus · March 5, 2024, 8:25pm

Each version of Java comes with a set of supported TLS protocol version, of which a subset is enabled by default. This is more of a Java configuration than an Openfire configuration (although Openfire will allow you to override the Java defaults).

This is done for security reasons. TLSv1 is pretty old, and no longer deemed very secure. That’s why by default, many applications disable it.

Brut · March 5, 2024, 8:41pm

yes it looks like it is disabled by default for this java, at least hope so, but I am reading the manual and do reaaly not know how to set the “jdk.tls.client.protocols” system property. if I searched all files in java folder for “jdk.tls.client.protocols”, it found only one hit and it was in modules file that is not editable

guus · March 5, 2024, 8:48pm

You can pass that as an argument to the java command that is starting Openfire. You’ll probably need to edit Openfire’s start script openfire.sh or openfire.bat or something like that and include a -D argument to the list of arguments that is already in there.

Brut · March 5, 2024, 8:55pm

but openfire is starting like a service, where to put the argument? and should it look like this?
java ‑Djdk.tls.client.protocols="TLSv1,TLSv1.1,TLSv1.2,TLSv1.3,SSLv3,SSLv2Hello"

guus · March 5, 2024, 9:01pm

When running as a service, you can create a vmoptions file. Please refer to Openfire: Installation Guide for the details.

Brut · March 5, 2024, 9:20pm

looks like it is not working, I have created this file in bin folder
openfire-service.vmoptions

and put inside this line, is it correct?
-Djdk.tls.client.protocols=“TLSv1,TLSv1.1,TLSv1.2,TLSv1.3,SSLv3,SSLv2Hello”
,

guus · March 5, 2024, 10:02pm

That looks fine. Is the error message still the same?

Brut · March 5, 2024, 10:45pm

I am not sure, if it helped, the message is the same, if I disable SSLv2Hello, the message changes to

2024.03.05 23:14:24.399 e[1;31mERRORe[m [socket_c2s-thread-13]: org.jivesoftware.openfire.nio.NettyConnection - Problem during connection close or cleanup
javax.net.ssl.SSLHandshakeException: SSLv2Hello is not enabled
	at sun.security.ssl.SSLEngineInputRecord.handleUnknownRecord(SSLEngineInputRecord.java:376) ~[?:?]
	at sun.security.ssl.SSLEngineInputRecord.decode(SSLEngineInputRecord.java:192) ~[?:?]
	at sun.security.ssl.SSLEngineInputRecord.decode(SSLEngineInputRecord.java:159) ~[?:?]
	at sun.security.ssl.SSLTransport.decode(SSLTransport.java:111) ~[?:?]
	at sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:736) ~[?:?]
	at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:691) ~[?:?]
	at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:506) ~[?:?]
	at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:482) ~[?:?]
	at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:679) ~[?:?]
	at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:309) ~[netty-handler-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1441) ~[netty-handler-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1334) ~[netty-handler-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1383) ~[netty-handler-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:529) ~[netty-codec-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468) ~[netty-codec-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290) ~[netty-codec-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:724) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:650) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997) ~[netty-common-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) ~[netty-common-4.1.100.Final.jar:4.1.100.Final]
	at java.lang.Thread.run(Thread.java:1583) [?:?]
2024.03.05 23:14:28.378 e[33mWARN e[m [socket_c2s-thread-14]: org.jivesoftware.openfire.nio.NettyXMPPDecoder - Error occurred while decoding XMPP stanza, closing connection: NettyConnection{peer: /178.143.36.103:5960, state: OPEN, session: LocalClientSession{address=brut.me/bd4833c6-c958-4abf-93b4-c193cd7aa35f, streamID=a56rzqutrs, status=CONNECTED, isEncrypted=false, isDetached=false, serverName='brut.me', isInitialized=false, hasAuthToken=false, peer address='178.143.36.103', presence='
<presence type="unavailable"/>'}, Netty channel handler context name: NettyClientConnectionHandler#0}
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: SSLv2Hello is not enabled
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:499) ~[netty-codec-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290) ~[netty-codec-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:724) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:650) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562) ~[netty-transport-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997) ~[netty-common-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) ~[netty-common-4.1.100.Final.jar:4.1.100.Final]
	at java.lang.Thread.run(Thread.java:1583) [?:?]
Caused by: javax.net.ssl.SSLHandshakeException: SSLv2Hello is not enabled
	at sun.security.ssl.SSLEngineInputRecord.handleUnknownRecord(SSLEngineInputRecord.java:376) ~[?:?]
	at sun.security.ssl.SSLEngineInputRecord.decode(SSLEngineInputRecord.java:192) ~[?:?]
	at sun.security.ssl.SSLEngineInputRecord.decode(SSLEngineInputRecord.java:159) ~[?:?]
	at sun.security.ssl.SSLTransport.decode(SSLTransport.java:111) ~[?:?]
	at sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:736) ~[?:?]
	at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:691) ~[?:?]
	at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:506) ~[?:?]
	at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:482) ~[?:?]
	at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:679) ~[?:?]
	at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:309) ~[netty-handler-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1441) ~[netty-handler-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1334) ~[netty-handler-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1383) ~[netty-handler-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:529) ~[netty-codec-4.1.100.Final.jar:4.1.100.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468) ~[netty-codec-4.1.100.Final.jar:4.1.100.Final]
	... 16 more

now I reinstalled to 4.7.5 and it works perfect, I assume there is a bug in the new version of java u are using with this old tls

Brut · March 6, 2024, 6:42am

and after successfull connection, Trillian show this in console

TLS established using DHE-RSA-AES256-SHA (TLSv1/SSLv3).