I'm having trouble getting Openfire S2S working. Some connections (unsecured) work, others don't (which I assume require TLS).
Hopefully someone can help me with this - I've searched already but did not find anything usable.
My setup:
Openfire 3.8.2 on CentOS
CA-signed RSA certificate (StartSSL)
C2S encryption required, no problems there
HTTPS server admin console connection, also no problem. Certificate properly verifies as CA signed.
Unencrypted S2S works as well, ports are available and usable (jabber.at works, jabber.org does now. gmail.com works as well for connectivity with GTalk)
On the S2S screen, none of the connections have a padlock.
Server security is set optional. I tried compression on and off, made no difference.
I guess I must be doing something wrong, but I don't know what
Any help appreciated.
In the logs:
Info log shows unexpected responses:
2013.08.22 11:59:16 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Ignoring unexpected answer in validation from: jabber.at id: 2581877302 for domain: palemoon.net answer:<stream:features xmlns:stream="http://etherx.jabber.org/streams"><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required/></starttls><c xmlns="http://jabber.org/protocol/caps" hash="sha-1" node="http://www.process-one.net/en/ejabberd/" ver="P0WUdKPvH9mhE18OCCdv0SmoqHY="/></stream:features> 2013.08.22 12:01:28 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Ignoring unexpected answer in validation from: jabber.org id: 63f00d19fc5ea871 for domain: palemoon.net answer:<stream:features xmlns:stream="http://etherx.jabber.org/streams"><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/><sm xmlns="urn:xmpp:sm:2"><optional/></sm><bidi xmlns="urn:xmpp:features:bidi"/><dialback xmlns="urn:xmpp:features:dialback"><errors/></dialback></stream:features> 2013.08.22 12:06:32 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Ignoring unexpected answer in validation from: jabber.org id: 7d4a66855853c119 for domain: palemoon.net answer:<stream:features xmlns:stream="http://etherx.jabber.org/streams"><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/><sm xmlns="urn:xmpp:sm:2"><optional/></sm><bidi xmlns="urn:xmpp:features:bidi"/><dialback xmlns="urn:xmpp:features:dialback"><errors/></dialback></stream:features> 2013.08.22 12:09:54 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Ignoring unexpected answer in validation from: jabber.at id: 3104799049 for domain: palemoon.net answer:<stream:features xmlns:stream="http://etherx.jabber.org/streams"><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required/></starttls><c xmlns="http://jabber.org/protocol/caps" hash="sha-1" node="http://www.process-one.net/en/ejabberd/" ver="P0WUdKPvH9mhE18OCCdv0SmoqHY="/></stream:features> 2013.08.22 12:11:43 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Ignoring unexpected answer in validation from: jabber.org id: 0fcb91a4d07c6d38 for domain: palemoon.net answer:<stream:features xmlns:stream="http://etherx.jabber.org/streams"><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/><sm xmlns="urn:xmpp:sm:2"><optional/></sm><bidi xmlns="urn:xmpp:features:bidi"/><dialback xmlns="urn:xmpp:features:dialback"><errors/></dialback></stream:features> 2013.08.22 12:18:56 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Ignoring unexpected answer in validation from: jabber.at id: 656012131 for domain: palemoon.net answer:<stream:features xmlns:stream="http://etherx.jabber.org/streams"><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required/></starttls><c xmlns="http://jabber.org/protocol/caps" hash="sha-1" node="http://www.process-one.net/en/ejabberd/" ver="P0WUdKPvH9mhE18OCCdv0SmoqHY="/></stream:features> 2013.08.22 12:19:37 org.jivesoftware.util.log.util.CommonsLogFactory - Going to buffer response body of large or unknown size. Using getResponseBodyAsStream instead is recommended. 2013.08.22 12:20:57 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Ignoring unexpected answer in validation from: jabber.org id: 085b058d88ecc8d4 for domain: palemoon.net answer:<stream:features xmlns:stream="http://etherx.jabber.org/streams"><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/><sm xmlns="urn:xmpp:sm:2"><optional/></sm><bidi xmlns="urn:xmpp:features:bidi"/><dialback xmlns="urn:xmpp:features:dialback"><errors/></dialback></stream:features> 2013.08.22 12:21:27 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Ignoring unexpected answer in validation from: proxy.eu.jabber.org id: 32b62e714ed4fd69 for domain: palemoon.net answer:<stream:features xmlns:stream="http://etherx.jabber.org/streams"><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/><sm xmlns="urn:xmpp:sm:2"><optional/></sm><bidi xmlns="urn:xmpp:features:bidi"/><dialback xmlns="urn:xmpp:features:dialback"><errors/></dialback></stream:features> 2013.08.22 12:23:28 org.jivesoftware.openfire.session.LocalOutgoingServerSession - Error trying to connect to remote server: eu.jabber.org(DNS lookup: eu.jabber.org:5269) java.net.UnknownHostException: eu.jabber.org at java.net.PlainSocketImpl.connect(Unknown Source) at java.net.SocksSocketImpl.connect(Unknown Source) at java.net.Socket.connect(Unknown Source) at org.jivesoftware.openfire.session.LocalOutgoingServerSession.createOutgoingSess ion(LocalOutgoingServerSession.java:280) at org.jivesoftware.openfire.session.LocalOutgoingServerSession.authenticateDomain (LocalOutgoingServerSession.java:208) at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.sendPa cket(OutgoingSessionPromise.java:261) at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.run(Ou tgoingSessionPromise.java:238) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) 2013.08.22 12:25:29 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Ignoring unexpected answer in validation from: jabber.org id: 39d7f1d4e3bbd04f for domain: palemoon.net answer:<stream:features xmlns:stream="http://etherx.jabber.org/streams"><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/><sm xmlns="urn:xmpp:sm:2"><optional/></sm><bidi xmlns="urn:xmpp:features:bidi"/><dialback xmlns="urn:xmpp:features:dialback"><errors/></dialback></stream:features> 2013.08.22 12:33:56 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Ignoring unexpected answer in validation from: jabber.at id: 556503886 for domain: palemoon.net answer:<stream:features xmlns:stream="http://etherx.jabber.org/streams"><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required/></starttls><c xmlns="http://jabber.org/protocol/caps" hash="sha-1" node="http://www.process-one.net/en/ejabberd/" ver="P0WUdKPvH9mhE18OCCdv0SmoqHY="/></stream:features> 2013.08.22 12:36:31 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Ignoring unexpected answer in validation from: jabber.org id: 64096572f030001f for domain: palemoon.net answer:<stream:features xmlns:stream="http://etherx.jabber.org/streams"><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/><sm xmlns="urn:xmpp:sm:2"><optional/></sm><bidi xmlns="urn:xmpp:features:bidi"/><dialback xmlns="urn:xmpp:features:dialback"><errors/></dialback></stream:features> |
Debug log for jabber.at (says certificate is not trusted?):
2013.08.22 12:09:54 org.jivesoftware.openfire.session.LocalOutgoingServerSession - LocalOutgoingServerSession: OS - Trying to connect to jabber.at:5269(DNS lookup: jabber.at:5269) 2013.08.22 12:09:54 org.jivesoftware.openfire.session.LocalOutgoingServerSession - LocalOutgoingServerSession: OS - Plain connection to jabber.at:5269 successful 2013.08.22 12:09:54 org.jivesoftware.openfire.session.LocalOutgoingServerSession['jabber.at'] - Indicating we want TLS to jabber.at 2013.08.22 12:09:54 org.jivesoftware.openfire.session.LocalOutgoingServerSession['jabber.at'] - Negotiating TLS... 2013.08.22 12:09:54 org.jivesoftware.openfire.net.ServerTrustManager - Certificate chain: 2013.08.22 12:09:54 org.jivesoftware.openfire.net.ServerTrustManager - Certificate 1: [ [ Cert details snipped ] 2013.08.22 12:09:54 org.jivesoftware.openfire.net.ServerTrustManager - Certificate 2: [ [ Cert details snipped ] 2013.08.22 12:09:54 org.jivesoftware.openfire.net.ServerTrustManager - Verifying certificate chain... 2013.08.22 12:09:54 org.jivesoftware.openfire.net.ServerTrustManager - Certificate 2 issuer: 'CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL' subject: 'CN=StartCom Class 2 Primary Intermediate Server CA, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL' 2013.08.22 12:09:54 org.jivesoftware.openfire.net.ServerTrustManager - Certificate 1 issuer: 'CN=StartCom Class 2 Primary Intermediate Server CA, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL' subject: 'EMAILADDRESS=postmaster@jabber.at, CN=*.jabber.at, O=Mathias Ertl, L=Vienna, ST=Wien, C=AT, OID.2.5.4.13=5Lt859mGphmFxcuW' 2013.08.22 12:09:54 org.jivesoftware.openfire.net.ServerTrustManager - Verifying certificate chain root certificate... 2013.08.22 12:09:54 org.jivesoftware.openfire.session.LocalOutgoingServerSession - LocalOutgoingServerSession: Handshake error while creating secured outgoing session to remote server: jabber.at(DNS lookup: jabber.at:5269) javax.net.ssl.SSLHandshakeException: General SSLEngine problem at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(Unknown Source) at javax.net.ssl.SSLEngine.wrap(Unknown Source) at org.jivesoftware.openfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.jav a:274) at org.jivesoftware.openfire.net.TLSStreamHandler.start(TLSStreamHandler.java:168) at org.jivesoftware.openfire.net.SocketConnection.startTLS(SocketConnection.java:1 82) at org.jivesoftware.openfire.session.LocalOutgoingServerSession.secureAndAuthentic ate(LocalOutgoingServerSession.java:433) at org.jivesoftware.openfire.session.LocalOutgoingServerSession.createOutgoingSess ion(LocalOutgoingServerSession.java:346) at org.jivesoftware.openfire.session.LocalOutgoingServerSession.authenticateDomain (LocalOutgoingServerSession.java:167) at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.sendPa cket(OutgoingSessionPromise.java:261) at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.run(Ou tgoingSessionPromise.java:238) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(Unknown Source) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source) at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source) at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source) at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source) at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Unknown Source) at java.security.AccessController.doPrivileged(Native Method) at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Unknown Source) at org.jivesoftware.openfire.net.TLSStreamHandler.doTasks(TLSStreamHandler.java:32 5) at org.jivesoftware.openfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.jav a:235) ... 10 more Caused by: java.security.cert.CertificateException: Root certificate (subject: CN=StartCom Class 2 Primary Intermediate Server CA, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL) of [*.jabber.at] not trusted. at org.jivesoftware.openfire.net.ServerTrustManager.checkServerTrusted(ServerTrust Manager.java:171) ... 18 more 2013.08.22 12:09:54 org.jivesoftware.openfire.session.LocalOutgoingServerSession - LocalOutgoingServerSession: OS - Going to try connecting using server dialback with: jabber.at |
Server dialback works, and an unencrypted connection is established.
For jabber.org (which fails completely), seems to want to use TLS dialback which fails:
2013.08.22 12:09:41 org.jivesoftware.openfire.session.LocalOutgoingServerSession - LocalOutgoingServerSession: OS - Trying to connect to jabber.org:5269(DNS lookup: hermes2.jabber.org:5269) 2013.08.22 12:09:41 org.jivesoftware.openfire.session.LocalOutgoingServerSession - LocalOutgoingServerSession: OS - Plain connection to jabber.org:5269 successful 2013.08.22 12:09:41 org.jivesoftware.openfire.session.LocalOutgoingServerSession['jabber.org'] - Indicating we want TLS to jabber.org 2013.08.22 12:09:41 org.jivesoftware.openfire.session.LocalOutgoingServerSession['jabber.org'] - Negotiating TLS... 2013.08.22 12:09:42 org.jivesoftware.openfire.net.ServerTrustManager - Certificate chain: 2013.08.22 12:09:42 org.jivesoftware.openfire.net.ServerTrustManager - Certificate 1: [ [ snipped ] 2013.08.22 12:09:42 org.jivesoftware.openfire.net.ServerTrustManager - Certificate 2: [ [ snipped ] 2013.08.22 12:09:42 org.jivesoftware.openfire.net.ServerTrustManager - Certificate 3: [ [ snipped ] 2013.08.22 12:09:42 org.jivesoftware.util.CertificateManager - Parsing otherName for subject alternative names: 1.3.6.1.5.5.7.8.5 2013.08.22 12:09:42 org.jivesoftware.util.CertificateManager - ... processing DERTaggedObject: [0][0]conference.jabber.org 2013.08.22 12:09:42 org.jivesoftware.util.CertificateManager - Parsing otherName for subject alternative names: 1.3.6.1.5.5.7.8.7 2013.08.22 12:09:42 org.jivesoftware.util.CertificateManager - Ignoring non-XMPP otherName, 1.3.6.1.5.5.7.8.7 2013.08.22 12:09:42 org.jivesoftware.util.CertificateManager - Parsing otherName for subject alternative names: 1.3.6.1.5.5.7.8.5 2013.08.22 12:09:42 org.jivesoftware.util.CertificateManager - ... processing DERTaggedObject: [0][0]jabber.org 2013.08.22 12:09:42 org.jivesoftware.util.CertificateManager - Parsing otherName for subject alternative names: 1.3.6.1.5.5.7.8.7 2013.08.22 12:09:42 org.jivesoftware.util.CertificateManager - Ignoring non-XMPP otherName, 1.3.6.1.5.5.7.8.7 2013.08.22 12:09:42 org.jivesoftware.openfire.net.ServerTrustManager - Verifying certificate chain... 2013.08.22 12:09:42 org.jivesoftware.openfire.net.ServerTrustManager - Certificate 3 issuer: 'CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL' subject: 'CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL' 2013.08.22 12:09:42 org.jivesoftware.openfire.net.ServerTrustManager - Certificate 2 issuer: 'CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL' subject: 'CN=StartCom Class 2 Primary Intermediate Server CA, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL' 2013.08.22 12:09:42 org.jivesoftware.openfire.net.ServerTrustManager - Certificate 1 issuer: 'CN=StartCom Class 2 Primary Intermediate Server CA, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL' subject: 'EMAILADDRESS=stpeter@jabber.org, CN=conference.jabber.org, O=J Peter Saint-Andre, L=Parker, ST=Colorado, C=US, OID.2.5.4.13=u4bUqMecBipRWEZy' 2013.08.22 12:09:42 org.jivesoftware.openfire.net.ServerTrustManager - Verifying certificate chain root certificate... 2013.08.22 12:09:42 org.jivesoftware.openfire.net.ServerTrustManager - Verifying certificate chain validity (by date)... 2013.08.22 12:09:42 org.jivesoftware.openfire.session.LocalOutgoingServerSession['jabber.org'] - TLS negotiation was successful. 2013.08.22 12:09:42 org.jivesoftware.openfire.session.LocalOutgoingServerSession['jabber.org'] - Stream compression not supported by jabber.org 2013.08.22 12:09:42 org.jivesoftware.openfire.session.LocalOutgoingServerSession['jabber.org'] - Offering dialback functionality: true 2013.08.22 12:09:42 org.jivesoftware.openfire.session.LocalOutgoingServerSession['jabber.org'] - Offering EXTERNAL SASL: false 2013.08.22 12:09:42 org.jivesoftware.openfire.session.LocalOutgoingServerSession['jabber.org'] - Is using a self-signed certificate: false 2013.08.22 12:09:42 org.jivesoftware.openfire.session.LocalOutgoingServerSession['jabber.org'] - Trying to connecting using dialback over TLS. 2013.08.22 12:09:42 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Sent dialback key to host: jabber.org id: 699b2e71d72af342 from domain: palemoon.net 2013.08.22 12:09:54 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/83.227.4.163:8243] Closed: org.apache.mina.filter.support.SSLHandler@1f98d01 2013.08.22 12:09:54 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/83.227.4.163:8243] Unexpected exception from SSLEngine.closeInbound(). javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack? |