Hi Gato,
I’ve been working with Peter and Eddy to get the ICA routine to spit out the correct extensions; I’ve got my cert re-issued with the correct jabber server domain in the extensions, and Openfire doesn’t complain anymore – Success!.. or… not?
Looking at S2S - things were still not encrypted.
Enabling debug, making sure certificate verification was off as well (to exclude a trust problem while negotiating TLS), I got the following output, trying 2 different remote servers:
2008.06.17 19:10:29 LocalOutgoingServerSession: OS - Trying to connect to jabber.anywise.com:5269(DNS lookup: jabber.anywise.com:5269)
2008.06.17 19:10:29 LocalOutgoingServerSession: OS - Plain connection to jabber.anywise.com:5269 successful
2008.06.17 19:10:29 LocalOutgoingServerSession: OS - Indicating we want TLS to jabber.anywise.com
2008.06.17 19:10:29 LocalOutgoingServerSession: OS - Negotiating TLS with jabber.anywise.com
2008.06.17 19:10:30 LocalOutgoingServerSession: OS - TLS negotiation with jabber.anywise.com was successful
2008.06.17 19:10:30 LocalOutgoingServerSession: OS - Error, no SASL mechanisms were offered by jabber.anywise.com
2008.06.17 19:10:30 LocalOutgoingServerSession: OS - Going to try connecting using server dialback with: jabber.anywise.com
2008.06.17 19:10:30 ServerDialback: OS - Trying to connect to jabber.anywise.com:5269(DNS lookup: jabber.anywise.com:5269)
2008.06.17 19:10:30 ServerDialback: OS - Connection to jabber.anywise.com:5269 successful
2008.06.17 19:10:30 ServerDialback: OS - Sent dialback key to host: jabber.anywise.com id: 3344141079 from domain: jabber.wolfbeast.com
2008.06.17 19:10:30 Connect Socket addr=/81.175.86.202,port=49150,localport=5269
2008.06.17 19:10:30 ServerDialback: RS - Received dialback key from host: jabber.anywise.com to: jabber.wolfbeast.com
2008.06.17 19:10:30 ServerDialback: RS - Trying to connect to Authoritative Server: jabber.anywise.com:5269(DNS lookup: jabber.anywise.com:5269)
2008.06.17 19:10:30 ServerDialback: RS - Connection to AS: jabber.anywise.com:5269 successful
2008.06.17 19:10:30 ServerDialback: RS - Asking AS to verify dialback key for id20b1cc58
2008.06.17 19:10:31 ServerDialback: RS - Key was VERIFIED by the Authoritative Server for: jabber.anywise.com
2008.06.17 19:10:31 ServerDialback: RS - Closing connection to Authoritative Server: jabber.anywise.com
2008.06.17 19:10:31 ServerDialback: RS - Sending key verification result to OS: jabber.anywise.com
2008.06.17 19:10:31 ServerDialback: AS - Verifying key for host: jabber.anywise.com id: 3344141079
2008.06.17 19:10:31 ServerDialback: AS - Key was: VALID for host: jabber.anywise.com id: 3344141079
2008.06.17 19:10:31 ServerDialback: OS - Validation GRANTED from: jabber.anywise.com id: 3344141079 for domain: jabber.wolfbeast.com
2008.06.17 19:10:54 CertificateManager: SubjectAltName of invalid type found: EMAILADDRESS=postmaster@wolfbeast.com, CN=jabber.wolfbeast.com, OU=Domain validated only, O=Moonchild Productions, L=SkxC3xB6vde, ST=O, C=SE
2008.06.17 19:10:54 CertificateManager: SubjectAltName of invalid type found: EMAILADDRESS=postmaster@wolfbeast.com, CN=jabber.wolfbeast.com, OU=Domain validated only, O=Moonchild Productions, L=SkxC3xB6vde, ST=O, C=SE
============================
2008.06.17 19:18:16 LocalOutgoingServerSession: OS - Trying to connect to jabber.org:5269(DNS lookup: jabber.org:5269)
2008.06.17 19:18:16 LocalOutgoingServerSession: OS - Plain connection to jabber.org:5269 successful
2008.06.17 19:18:16 LocalOutgoingServerSession: OS - Indicating we want TLS to jabber.org
2008.06.17 19:18:17 LocalOutgoingServerSession: OS - Negotiating TLS with jabber.org
2008.06.17 19:18:18 LocalOutgoingServerSession: OS - TLS negotiation with jabber.org was successful
2008.06.17 19:18:18 LocalOutgoingServerSession: OS - Error, no SASL mechanisms were offered by jabber.org
2008.06.17 19:18:18 LocalOutgoingServerSession: OS - Going to try connecting using server dialback with: jabber.org
2008.06.17 19:18:18 ServerDialback: OS - Trying to connect to jabber.org:5269(DNS lookup: jabber.org:5269)
2008.06.17 19:18:18 ServerDialback: OS - Connection to jabber.org:5269 successful
2008.06.17 19:18:18 ServerDialback: OS - Sent dialback key to host: jabber.org id: 1469403149 from domain: jabber.wolfbeast.com
2008.06.17 19:18:19 Connect Socket addr=/208.68.163.214,port=37026,localport=5269
2008.06.17 19:18:19 ServerDialback: RS - Received dialback key from host: jabber.org to: jabber.wolfbeast.com
2008.06.17 19:18:19 ServerDialback: RS - Trying to connect to Authoritative Server: jabber.org:5269(DNS lookup: jabber.org:5269)
2008.06.17 19:18:19 ServerDialback: RS - Connection to AS: jabber.org:5269 successful
2008.06.17 19:18:20 ServerDialback: RS - Asking AS to verify dialback key for idc5dbc6ec
2008.06.17 19:18:20 ServerDialback: RS - Key was VERIFIED by the Authoritative Server for: jabber.org
2008.06.17 19:18:20 ServerDialback: RS - Closing connection to Authoritative Server: jabber.org
2008.06.17 19:18:20 ServerDialback: RS - Sending key verification result to OS: jabber.org
2008.06.17 19:18:20 ServerDialback: AS - Verifying key for host: jabber.org id: 1469403149
2008.06.17 19:18:20 ServerDialback: AS - Key was: VALID for host: jabber.org id: 1469403149
2008.06.17 19:18:20 ServerDialback: OS - Validation GRANTED from: jabber.org id: 1469403149 for domain: jabber.wolfbeast.com
2008.06.17 19:18:20 Connect Socket addr=/208.68.163.214,port=37031,localport=5269
2008.06.17 19:18:21 ServerDialback: RS - Received dialback key from host: jabber.org to: jabber.wolfbeast.com
2008.06.17 19:18:21 ServerDialback: RS - Trying to connect to Authoritative Server: jabber.org:5269(DNS lookup: jabber.org:5269)
2008.06.17 19:18:21 ServerDialback: RS - Connection to AS: jabber.org:5269 successful
2008.06.17 19:18:21 ServerDialback: RS - Asking AS to verify dialback key for id71add5e4
2008.06.17 19:18:21 ServerDialback: RS - Key was VERIFIED by the Authoritative Server for: jabber.org
2008.06.17 19:18:21 ServerDialback: RS - Closing connection to Authoritative Server: jabber.org
2008.06.17 19:18:21 ServerDialback: RS - Sending key verification result to OS: jabber.org
================================
so… even after all that, it still wants to use SASL with the remote server to authenticate… ?
The SubjectAlternativeName of the new certificate is:
Other Name:
1.3.6.1.5.5.7.8.5=0c 14 6a 61 62 62 65 72 2e 77 6f 6c 66 62 65 61 73 74 2e 63 6f 6d
DNS Name=wolfbeast.com
DNS Name=jabber.wolfbeast.com
The bottom two certmanager complaints in the above log are, if I understood correctly, because of the two DNS names. In that case that should be fine.
I’m not sure if I’m missing anything here. Openfire doesn’t complain about the certificate, the othername XMPP extension has jabber.wolfbeast.com in it which matches my XMPP domain, TLS gets negotiated successfully…
Any ideas?
Mark.
UPDATE:
I’ve pulled out the local test server again and actually got encryption working (that one is using a self-signed certificate, openfire 3.5.1 as I didn’t update it yet), with the following in the debug log of jabber.wolfbeast.com after attempting an inbound s2s connection by sending a presence packet to an account there from the test server:
2008.06.17 19:39:15 Connect Socket addr=/192.168.73.88,port=1239,localport=5269
2008.06.17 19:39:18 LocalOutgoingServerSession: OS - Trying to connect to jabtest:5269(DNS lookup: jabtest:5269)
2008.06.17 19:39:18 LocalOutgoingServerSession: OS - Plain connection to jabtest:5269 successful
2008.06.17 19:39:18 LocalOutgoingServerSession: OS - Indicating we want TLS to jabtest
2008.06.17 19:39:18 LocalOutgoingServerSession: OS - Negotiating TLS with jabtest
2008.06.17 19:39:20 LocalOutgoingServerSession: OS - TLS negotiation with jabtest was successful
2008.06.17 19:39:20 LocalOutgoingServerSession: OS - Stream compression not supoprted by jabtest
2008.06.17 19:39:20 LocalOutgoingServerSession: OS - Starting EXTERNAL SASL with jabtest
2008.06.17 19:39:20 LocalOutgoingServerSession: OS - EXTERNAL SASL with jabtest was successful
Maybe it has something to do with compression, since that’s off on the jabtest server?
The thing still is, that SASL shouldn’t be used
on my LAN it might succeed because the IP address reverse resolves to the correct host name (but on a public network that would be asking too much) – is there a way to completely bypass SASL? I really don’t care if the remote server is “really who they say they are” beyond exchanging server certificate data.
Message was edited by: wolfbeest