Quantcast
Channel: Ignite Realtime : Discussion List - All Communities
Viewing all articles
Browse latest Browse all 10742

Problems getting secure S2S working - help please?

$
0
0

I'm having trouble getting Openfire S2S working. Some connections (unsecured) work, others don't (which I assume require TLS).

Hopefully someone can help me with this - I've searched already but did not find anything usable.

 

My setup:

Openfire 3.8.2 on CentOS

CA-signed RSA certificate (StartSSL)

C2S encryption required, no problems there

HTTPS server admin console connection, also no problem. Certificate properly verifies as CA signed.

Unencrypted S2S works as well, ports are available and usable (jabber.at works, jabber.org does now. gmail.com works as well for connectivity with GTalk)

 

On the S2S screen, none of the connections have a padlock.

Server security is set optional. I tried compression on and off, made no difference.

 

I guess I must be doing something wrong, but I don't know what

Any help appreciated.

 

In the logs:

Info log shows unexpected responses:

2013.08.22 11:59:16 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Ignoring unexpected answer in validation from: jabber.at id: 2581877302 for domain: palemoon.net answer:<stream:features xmlns:stream="http://etherx.jabber.org/streams"><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required/></starttls><c xmlns="http://jabber.org/protocol/caps" hash="sha-1" node="http://www.process-one.net/en/ejabberd/" ver="P0WUdKPvH9mhE18OCCdv0SmoqHY="/></stream:features> 
   2013.08.22 12:01:28 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Ignoring unexpected answer in validation from: jabber.org id: 63f00d19fc5ea871 for domain: palemoon.net answer:<stream:features xmlns:stream="http://etherx.jabber.org/streams"><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/><sm xmlns="urn:xmpp:sm:2"><optional/></sm><bidi xmlns="urn:xmpp:features:bidi"/><dialback xmlns="urn:xmpp:features:dialback"><errors/></dialback></stream:features> 
   2013.08.22 12:06:32 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Ignoring unexpected answer in validation from: jabber.org id: 7d4a66855853c119 for domain: palemoon.net answer:<stream:features xmlns:stream="http://etherx.jabber.org/streams"><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/><sm xmlns="urn:xmpp:sm:2"><optional/></sm><bidi xmlns="urn:xmpp:features:bidi"/><dialback xmlns="urn:xmpp:features:dialback"><errors/></dialback></stream:features> 
   2013.08.22 12:09:54 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Ignoring unexpected answer in validation from: jabber.at id: 3104799049 for domain: palemoon.net answer:<stream:features xmlns:stream="http://etherx.jabber.org/streams"><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required/></starttls><c xmlns="http://jabber.org/protocol/caps" hash="sha-1" node="http://www.process-one.net/en/ejabberd/" ver="P0WUdKPvH9mhE18OCCdv0SmoqHY="/></stream:features> 
   2013.08.22 12:11:43 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Ignoring unexpected answer in validation from: jabber.org id: 0fcb91a4d07c6d38 for domain: palemoon.net answer:<stream:features xmlns:stream="http://etherx.jabber.org/streams"><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/><sm xmlns="urn:xmpp:sm:2"><optional/></sm><bidi xmlns="urn:xmpp:features:bidi"/><dialback xmlns="urn:xmpp:features:dialback"><errors/></dialback></stream:features> 
   2013.08.22 12:18:56 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Ignoring unexpected answer in validation from: jabber.at id: 656012131 for domain: palemoon.net answer:<stream:features xmlns:stream="http://etherx.jabber.org/streams"><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required/></starttls><c xmlns="http://jabber.org/protocol/caps" hash="sha-1" node="http://www.process-one.net/en/ejabberd/" ver="P0WUdKPvH9mhE18OCCdv0SmoqHY="/></stream:features> 
   2013.08.22 12:19:37 org.jivesoftware.util.log.util.CommonsLogFactory - Going to buffer response body of large or unknown size. Using getResponseBodyAsStream instead is recommended. 
   2013.08.22 12:20:57 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Ignoring unexpected answer in validation from: jabber.org id: 085b058d88ecc8d4 for domain: palemoon.net answer:<stream:features xmlns:stream="http://etherx.jabber.org/streams"><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/><sm xmlns="urn:xmpp:sm:2"><optional/></sm><bidi xmlns="urn:xmpp:features:bidi"/><dialback xmlns="urn:xmpp:features:dialback"><errors/></dialback></stream:features> 
   2013.08.22 12:21:27 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Ignoring unexpected answer in validation from: proxy.eu.jabber.org id: 32b62e714ed4fd69 for domain: palemoon.net answer:<stream:features xmlns:stream="http://etherx.jabber.org/streams"><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/><sm xmlns="urn:xmpp:sm:2"><optional/></sm><bidi xmlns="urn:xmpp:features:bidi"/><dialback xmlns="urn:xmpp:features:dialback"><errors/></dialback></stream:features> 
   2013.08.22 12:23:28 org.jivesoftware.openfire.session.LocalOutgoingServerSession - Error trying to connect to remote server: eu.jabber.org(DNS lookup: eu.jabber.org:5269) 
   java.net.UnknownHostException: eu.jabber.org 
        at java.net.PlainSocketImpl.connect(Unknown Source) 
        at java.net.SocksSocketImpl.connect(Unknown Source) 
        at java.net.Socket.connect(Unknown Source) 
   at org.jivesoftware.openfire.session.LocalOutgoingServerSession.createOutgoingSess ion(LocalOutgoingServerSession.java:280) 
   at org.jivesoftware.openfire.session.LocalOutgoingServerSession.authenticateDomain (LocalOutgoingServerSession.java:208) 
   at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.sendPa cket(OutgoingSessionPromise.java:261) 
   at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.run(Ou tgoingSessionPromise.java:238) 
        at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source) 
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) 
        at java.lang.Thread.run(Unknown Source) 
   2013.08.22 12:25:29 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Ignoring unexpected answer in validation from: jabber.org id: 39d7f1d4e3bbd04f for domain: palemoon.net answer:<stream:features xmlns:stream="http://etherx.jabber.org/streams"><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/><sm xmlns="urn:xmpp:sm:2"><optional/></sm><bidi xmlns="urn:xmpp:features:bidi"/><dialback xmlns="urn:xmpp:features:dialback"><errors/></dialback></stream:features> 
   2013.08.22 12:33:56 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Ignoring unexpected answer in validation from: jabber.at id: 556503886 for domain: palemoon.net answer:<stream:features xmlns:stream="http://etherx.jabber.org/streams"><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required/></starttls><c xmlns="http://jabber.org/protocol/caps" hash="sha-1" node="http://www.process-one.net/en/ejabberd/" ver="P0WUdKPvH9mhE18OCCdv0SmoqHY="/></stream:features> 
   2013.08.22 12:36:31 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Ignoring unexpected answer in validation from: jabber.org id: 64096572f030001f for domain: palemoon.net answer:<stream:features xmlns:stream="http://etherx.jabber.org/streams"><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/><sm xmlns="urn:xmpp:sm:2"><optional/></sm><bidi xmlns="urn:xmpp:features:bidi"/><dialback xmlns="urn:xmpp:features:dialback"><errors/></dialback></stream:features> 

 

Debug log for jabber.at (says certificate is not trusted?):

2013.08.22 12:09:54 org.jivesoftware.openfire.session.LocalOutgoingServerSession - LocalOutgoingServerSession: OS - Trying to connect to jabber.at:5269(DNS lookup: jabber.at:5269) 
   2013.08.22 12:09:54 org.jivesoftware.openfire.session.LocalOutgoingServerSession - LocalOutgoingServerSession: OS - Plain connection to jabber.at:5269 successful 
   2013.08.22 12:09:54 org.jivesoftware.openfire.session.LocalOutgoingServerSession['jabber.at'] - Indicating we want TLS to jabber.at 
   2013.08.22 12:09:54 org.jivesoftware.openfire.session.LocalOutgoingServerSession['jabber.at'] - Negotiating TLS... 
   2013.08.22 12:09:54 org.jivesoftware.openfire.net.ServerTrustManager - Certificate chain: 
   2013.08.22 12:09:54 org.jivesoftware.openfire.net.ServerTrustManager - Certificate 1: [    
[ Cert details snipped ]   
   2013.08.22 12:09:54 org.jivesoftware.openfire.net.ServerTrustManager - Certificate 2: [ 
[ Cert details snipped ] 
   2013.08.22 12:09:54 org.jivesoftware.openfire.net.ServerTrustManager - Verifying certificate chain... 
   2013.08.22 12:09:54 org.jivesoftware.openfire.net.ServerTrustManager - Certificate 2 issuer: 'CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL' subject: 'CN=StartCom Class 2 Primary Intermediate Server CA, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL' 
   2013.08.22 12:09:54 org.jivesoftware.openfire.net.ServerTrustManager - Certificate 1 issuer: 'CN=StartCom Class 2 Primary Intermediate Server CA, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL' subject: 'EMAILADDRESS=postmaster@jabber.at, CN=*.jabber.at, O=Mathias Ertl, L=Vienna, ST=Wien, C=AT, OID.2.5.4.13=5Lt859mGphmFxcuW' 
   2013.08.22 12:09:54 org.jivesoftware.openfire.net.ServerTrustManager - Verifying certificate chain root certificate... 
   2013.08.22 12:09:54 org.jivesoftware.openfire.session.LocalOutgoingServerSession - LocalOutgoingServerSession: Handshake error while creating secured outgoing session to remote server: jabber.at(DNS lookup: jabber.at:5269) 
   javax.net.ssl.SSLHandshakeException: General SSLEngine problem 
        at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Unknown Source) 
        at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source) 
        at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(Unknown Source) 
        at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(Unknown Source) 
        at javax.net.ssl.SSLEngine.wrap(Unknown Source) 
   at org.jivesoftware.openfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.jav a:274) 
   at org.jivesoftware.openfire.net.TLSStreamHandler.start(TLSStreamHandler.java:168) 
   at org.jivesoftware.openfire.net.SocketConnection.startTLS(SocketConnection.java:1 82) 
   at org.jivesoftware.openfire.session.LocalOutgoingServerSession.secureAndAuthentic ate(LocalOutgoingServerSession.java:433) 
   at org.jivesoftware.openfire.session.LocalOutgoingServerSession.createOutgoingSess ion(LocalOutgoingServerSession.java:346) 
   at org.jivesoftware.openfire.session.LocalOutgoingServerSession.authenticateDomain (LocalOutgoingServerSession.java:167) 
   at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.sendPa cket(OutgoingSessionPromise.java:261) 
   at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.run(Ou tgoingSessionPromise.java:238) 
        at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source) 
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) 
        at java.lang.Thread.run(Unknown Source) 
   Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem 
        at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source) 
        at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(Unknown Source) 
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source) 
        at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source) 
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source) 
        at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source) 
        at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source) 
        at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Unknown Source) 
        at java.security.AccessController.doPrivileged(Native Method) 
        at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Unknown Source) 
   at org.jivesoftware.openfire.net.TLSStreamHandler.doTasks(TLSStreamHandler.java:32 5) 
   at org.jivesoftware.openfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.jav a:235) 
        ... 10 more 
   Caused by: java.security.cert.CertificateException: Root certificate (subject: CN=StartCom Class 2 Primary Intermediate Server CA, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL) of [*.jabber.at] not trusted. 
   at org.jivesoftware.openfire.net.ServerTrustManager.checkServerTrusted(ServerTrust Manager.java:171) 
        ... 18 more 
   2013.08.22 12:09:54 org.jivesoftware.openfire.session.LocalOutgoingServerSession - LocalOutgoingServerSession: OS - Going to try connecting using server dialback with: jabber.at 

Server dialback works, and an unencrypted connection is established.

 

For jabber.org (which fails completely), seems to want to use TLS dialback which fails:

2013.08.22 12:09:41 org.jivesoftware.openfire.session.LocalOutgoingServerSession - LocalOutgoingServerSession: OS - Trying to connect to jabber.org:5269(DNS lookup: hermes2.jabber.org:5269) 
   2013.08.22 12:09:41 org.jivesoftware.openfire.session.LocalOutgoingServerSession - LocalOutgoingServerSession: OS - Plain connection to jabber.org:5269 successful 
   2013.08.22 12:09:41 org.jivesoftware.openfire.session.LocalOutgoingServerSession['jabber.org'] - Indicating we want TLS to jabber.org 
   2013.08.22 12:09:41 org.jivesoftware.openfire.session.LocalOutgoingServerSession['jabber.org'] - Negotiating TLS... 
   2013.08.22 12:09:42 org.jivesoftware.openfire.net.ServerTrustManager - Certificate chain: 
   2013.08.22 12:09:42 org.jivesoftware.openfire.net.ServerTrustManager - Certificate 1: [ 
   [  snipped ] 
   2013.08.22 12:09:42 org.jivesoftware.openfire.net.ServerTrustManager - Certificate 2: [ 
   [  snipped ] 
   2013.08.22 12:09:42 org.jivesoftware.openfire.net.ServerTrustManager - Certificate 3: [ 
   [ snipped ] 
   2013.08.22 12:09:42 org.jivesoftware.util.CertificateManager - Parsing otherName for subject alternative names: 1.3.6.1.5.5.7.8.5 
   2013.08.22 12:09:42 org.jivesoftware.util.CertificateManager - ... processing DERTaggedObject: [0][0]conference.jabber.org 
   2013.08.22 12:09:42 org.jivesoftware.util.CertificateManager - Parsing otherName for subject alternative names: 1.3.6.1.5.5.7.8.7 
   2013.08.22 12:09:42 org.jivesoftware.util.CertificateManager - Ignoring non-XMPP otherName, 1.3.6.1.5.5.7.8.7 
   2013.08.22 12:09:42 org.jivesoftware.util.CertificateManager - Parsing otherName for subject alternative names: 1.3.6.1.5.5.7.8.5 
   2013.08.22 12:09:42 org.jivesoftware.util.CertificateManager - ... processing DERTaggedObject: [0][0]jabber.org 
   2013.08.22 12:09:42 org.jivesoftware.util.CertificateManager - Parsing otherName for subject alternative names: 1.3.6.1.5.5.7.8.7 
   2013.08.22 12:09:42 org.jivesoftware.util.CertificateManager - Ignoring non-XMPP otherName, 1.3.6.1.5.5.7.8.7 
   2013.08.22 12:09:42 org.jivesoftware.openfire.net.ServerTrustManager - Verifying certificate chain... 
   2013.08.22 12:09:42 org.jivesoftware.openfire.net.ServerTrustManager - Certificate 3 issuer: 'CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL' subject: 'CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL' 
   2013.08.22 12:09:42 org.jivesoftware.openfire.net.ServerTrustManager - Certificate 2 issuer: 'CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL' subject: 'CN=StartCom Class 2 Primary Intermediate Server CA, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL' 
   2013.08.22 12:09:42 org.jivesoftware.openfire.net.ServerTrustManager - Certificate 1 issuer: 'CN=StartCom Class 2 Primary Intermediate Server CA, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL' subject: 'EMAILADDRESS=stpeter@jabber.org, CN=conference.jabber.org, O=J Peter Saint-Andre, L=Parker, ST=Colorado, C=US, OID.2.5.4.13=u4bUqMecBipRWEZy' 
   2013.08.22 12:09:42 org.jivesoftware.openfire.net.ServerTrustManager - Verifying certificate chain root certificate... 
   2013.08.22 12:09:42 org.jivesoftware.openfire.net.ServerTrustManager - Verifying certificate chain validity (by date)... 
   2013.08.22 12:09:42 org.jivesoftware.openfire.session.LocalOutgoingServerSession['jabber.org'] - TLS negotiation was successful. 
   2013.08.22 12:09:42 org.jivesoftware.openfire.session.LocalOutgoingServerSession['jabber.org'] - Stream compression not supported by jabber.org 
   2013.08.22 12:09:42 org.jivesoftware.openfire.session.LocalOutgoingServerSession['jabber.org'] - Offering dialback functionality: true 
   2013.08.22 12:09:42 org.jivesoftware.openfire.session.LocalOutgoingServerSession['jabber.org'] - Offering EXTERNAL SASL: false 
   2013.08.22 12:09:42 org.jivesoftware.openfire.session.LocalOutgoingServerSession['jabber.org'] - Is using a self-signed certificate: false 
   2013.08.22 12:09:42 org.jivesoftware.openfire.session.LocalOutgoingServerSession['jabber.org'] - Trying to connecting using dialback over TLS. 
   2013.08.22 12:09:42 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Sent dialback key to host: jabber.org id: 699b2e71d72af342 from domain: palemoon.net 
   2013.08.22 12:09:54 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/83.227.4.163:8243]  Closed: org.apache.mina.filter.support.SSLHandler@1f98d01 
   2013.08.22 12:09:54 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/83.227.4.163:8243] Unexpected exception from SSLEngine.closeInbound(). 
   javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack? 

Viewing all articles
Browse latest Browse all 10742

Trending Articles