Issues with IMO

Dear All,

We have an Openfire server with around 2,500 users that has been running fine except that at times we have suffered connectivity problems from the Android XMPP client IMO (https://imo.im/).

Currently anyone trying to access our Openfire server from IMO will get an "Incorrect username and/or password" error (even after typing correct credentials).

Although the SSL certificate seem to be properly installed (and other apps work fine: Spark, Pidgin, Adium, Messages, iChat, IM+, etc...) there might be something that's not fully compatible with IMO and we would like to find out. We've contacted IMO in the past to no avail so we're trying to do the debuging from our end.

Information about our environment:

• OS: CentOS 6.4 x86_64
• DB: MySQL 5.1.69
• Security settings: same results with "Optional" and "Required" on http://our-server:9090/ssl-settings.jsp
• Server certs: 1 RSA signed by a CA and valid and 2 self signed (we tried deleting the self-signed but they seem to be valid)
• sasl.mechs: CRAM-MD5,DIGEST-MD5,PLAIN,EXTERNAL,ANONYMOUS

This is the error shown on warn.log every time someone tries to connect from IMO:

2013.08.01 11:07:04 org.jivesoftware.openfire.nio.NIOConnection - Error retrieving client certificates of: org.jivesoftware.openfire.session.LocalClientSession@22d8cce3 status: 1 address: im.music-group.com/24bb33c4 id: 24bb33c4 presence:

<presence type="unavailable"/>

javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated

          at sun.security.ssl.SSLSessionImpl.getPeerCertificates(Unknown Source)

          at org.jivesoftware.openfire.nio.NIOConnection.getPeerCertificates(NIOConnection.j ava:168)

          at org.jivesoftware.openfire.net.SASLAuthentication.doExternalAuthentication(SASLA uthentication.java:528)

          at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java :245)

          at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:179)

          at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandl er.java:181)

          at org.apache.mina.common.support.AbstractIoFilterChain$TailFilter.messageReceived (AbstractIoFilterChain.java:570)

          at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)

          at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)

          at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)

          at org.apache.mina.common.IoFilterAdapter.messageReceived(IoFilterAdapter.java:80)

          at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)

          at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)

          at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)

          at org.apache.mina.filter.codec.support.SimpleProtocolDecoderOutput.flush(SimplePr otocolDecoderOutput.java:58)

          at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecF ilter.java:185)

          at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(Ab stractIoFilterChain.java:299)

          at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilt erChain.java:53)

          at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceive d(AbstractIoFilterChain.java:648)

          at org.apache.mina.filter.executor.ExecutorFilter.processEvent(ExecutorFilter.java :239)

          at org.apache.mina.filter.executor.ExecutorFilter$ProcessEventsRunnable.run(Execut orFilter.java:283)

          at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)

          at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

          at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:51)

          at java.lang.Thread.run(Unknown Source)

Debugging through openssl shows:

$ openssl s_client -connect im.our-company.com:5222  -starttls xmpp

CONNECTED(00000003)

$ openssl s_client -connect im.our-company.com:5223

CONNECTED(00000003)

depth=2 /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority

verify error:num=19:self signed certificate in certificate chain

verify return:0

---

Certificate chain

0 s:/O=*.our-company.com/OU=Domain Control Validated/CN=*.our-company.com

   i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287

1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287

   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority

2 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority

   i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority

3 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority

   i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com//www.valicert.com//emailAddress=info@valicert.com

4 s:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com//www.valicert.com//emailAddress=info@valicert.com

   i:/L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//emailAddress=info@valicert.com//www.valicert.com//emailAddress=info@valicert.com

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIFaTCCBFGgAwIBAgIHJ6S+kkNpJTANBgkqhkiG9w0BAQUFADCByjELMAkGA1UE

BhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAY

BgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMTMwMQYDVQQLEypodHRwOi8vY2VydGlm

aWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkxMDAuBgNVBAMTJ0dvIERhZGR5

IFNlY3VyZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTERMA8GA1UEBRMIMDc5Njky

ODcwHhcNMTIwNDI2MDkyODAyWhcNMTQwNDI2MDkyODAyWjBbMRowGAYDVQQKFBEq

Lm11c2ljLWdyb3VwLmNvbTEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh

dGVkMRowGAYDVQQDFBEqLm11c2ljLWdyb3VwLmNvbTCCASIwDQYJKoZIhvcNAQEB

BQADggEPADCCAQoCggEBALrxJVPpzsSLT3/BljIB/3D1/r+tgkRrVJPRI0Nr21//

lbi9ScFx/anqR/eRaOBsSDGfwmiPDLlbifwWS1vvqZ+InvC7+KMPc4isz5ZaFJF+

CcIdjnXBSE2r745UIxbBfS/MXJkphpWL5YdbWz7+AT2GdZCO7PCkH+12v+oGBU8L

D5R4ALOZM7gvIoyDC0lEQaiJL18iVkbtADTkqgLVuteis06jv5qRzjdVEIUfCs3L

LyjeG3TkuSH5JOu4j+V8uzl1Arigcl3p5zbJSmLXGiMnUlznNbuHASMzE8qthKNL

fj11ac4BZXil5z/2BMTvTfD91iMqNn7GFE5NXZEN6p0CAwEAAaOCAcAwggG8MA8G

A1UdEwEB/wQFMAMBAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4G

A1UdDwEB/wQEAwIFoDAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmdvZGFk

ZHkuY29tL2dkczEtNjguY3JsMFMGA1UdIARMMEowSAYLYIZIAYb9bQEHFwEwOTA3

BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBv

c2l0b3J5LzCBgAYIKwYBBQUHAQEEdDByMCQGCCsGAQUFBzABhhhodHRwOi8vb2Nz

cC5nb2RhZGR5LmNvbS8wSgYIKwYBBQUHMAKGPmh0dHA6Ly9jZXJ0aWZpY2F0ZXMu

Z29kYWRkeS5jb20vcmVwb3NpdG9yeS9nZF9pbnRlcm1lZGlhdGUuY3J0MB8GA1Ud

IwQYMBaAFP2sYTKTbEXW4u6FX5q653aZaMznMC0GA1UdEQQmMCSCESoubXVzaWMt

Z3JvdXAuY29tgg9tdXNpYy1ncm91cC5jb20wHQYDVR0OBBYEFKT0/40ZBR6z2ckT

+n2lPejVOlNDMA0GCSqGSIb3DQEBBQUAA4IBAQCJ3A8Uo11DqzRyWBZjYmvqeBho

D/QhA1N1iiha7GQ7V68ffZ59S3w+Q/nWFfs2RVa/ltgIlxz8olzyGRuMD2/hqFWV

KAcvpc8cMAMkx5XEVMb+PapKZqJ0ipN2M0qC9WFypuGJMrRAvVXF9lDKYNUXQdTi

2zRFc5MJBAejZm5zdGJsUnY2GXnSHkfAL26VXvYWeWHVJnHY6SxzhC7XqGR+OmAv

TZjMTnMltE1wEf6II7uZ1t/nqkzq8PZzuav18ars198eyQKLQJ/7w60YmXN47M84

Pl78+RihrlhvViNXi05Ar7tcbk67bF2cQEymgiwEAIcJg17ZVk87CCx53iUk

-----END CERTIFICATE-----

subject=/O=*.our-company.com/OU=Domain Control Validated/CN=*.our-company.com

issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287

---

No client certificate CA names sent

---

SSL handshake has read 6412 bytes and written 288 bytes

---

New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

    Protocol  : TLSv1

    Cipher    : EDH-RSA-DES-CBC3-SHA

    Session-ID: 51F9FCC1BCD22236448D7E1907E3B860F6D6F5C2A8456172D0E5B15A19EC6FE1

    Session-ID-ctx:

    Master-Key: B3632F67DB3D522D98E345A20C8360D5E4701034EBC7EAEE11577316B607A01E190133E890CE907 C2EB2BCEFF034B72C

    Key-Arg   : None

    Start Time: 1375337798

    Timeout   : 300 (sec)

    Verify return code: 0 (ok)

---

I've been researching online but did not find much stuff related to this. Could anyone recommend next troubleshooting steps or links to relevant documentation? I've already read the following (to no avail):

http://www.igniterealtime.org/builds/openfire/docs/latest/documentation/ssl-guid e.html

http://community.igniterealtime.org/thread/41786

Thank you so much