Hello,
I am trying to get working s2s connection on tls only with other xmpp servers
What i have:
Only Incoming connection working. Outgoing are not. (one remote server have self sing certificate instaled other is jabber.org)
I have only RSA certificate which is sign by trusted ca.
My config options:
xmpp.socket.ssl.active true
xmpp.server.tls.enabled true
xmpp.server.dialback.enabled false
xmpp.server.certificate.accept-selfsigned true
xmpp.server.dialback.enabled false
xmpp.domain domain.com
xmpp.domain domain.com
sasl.mechs PLAIN, EXTERNAL
Certificates:
RSA only,
jre/bin/keytool -keystore ./resources/security/keystore -list
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
talamasca, Apr 8, 2013, PrivateKeyEntry,
Certificate fingerprint (MD5): something here
made by:
openssl pkcs12 -export -in commercial.crt -inkey commercial.key -out nowy.p12 -name talamasca -CAfile commercial_ca.crt -caname root
keytool -importkeystore -destkeystore keystore -srckeystore /home/cnav/talamasca/gotowe/nowy.p12 -srcstoretype PKCS12 -alias talamasca
errors during connection:
--
2013.04.08 21:57:19 org.apache.mina.filter.executor.ExecutorFilter - Exiting since queue is empty for /83.144.74.202:51288
2013.04.08 21:57:19 org.jivesoftware.openfire.server.OutgoingSessionPromise - OutgoingSessionPromise: Error sending packet to remote server (fast discard):
<presence from="cnav@talamasca.pl/cnav" to="cnav@jabber.org">
<priority>5</priority>
<c xmlns="http://jabber.org/protocol/caps" node="http://psi-im.org/caps" ver="caps-b75d8d2b25" ext="ca cs ep-notify-2 html"/>
</presence>
--
--
2013.04.08 21:57:19 org.jivesoftware.openfire.net.ServerTrustManager - Verifying certificate chain...
2013.04.08 21:57:19 org.jivesoftware.openfire.net.ServerTrustManager - Certificate 3 issuer: 'CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL' subject: 'CN=StartCom Class 2 Primary Intermediate Server CA, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL'
2013.04.08 21:57:19 org.jivesoftware.openfire.net.ServerTrustManager - Certificate 2 issuer: 'CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL' subject: 'CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL'
2013.04.08 21:57:19 org.jivesoftware.openfire.session.LocalOutgoingServerSession - LocalOutgoingServerSession: Handshake error while creating secured outgoing session to remote server: jabber.org(DNS lookup: hermes.jabber.org:5269)
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(Unknown Source)
at javax.net.ssl.SSLEngine.wrap(Unknown Source)
at org.jivesoftware.openfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.jav a:274)
at org.jivesoftware.openfire.net.TLSStreamHandler.start(TLSStreamHandler.java:168)
at org.jivesoftware.openfire.net.SocketConnection.startTLS(SocketConnection.java:1 82)
at org.jivesoftware.openfire.session.LocalOutgoingServerSession.secureAndAuthentic ate(LocalOutgoingServerSession.java:430)
at org.jivesoftware.openfire.session.LocalOutgoingServerSession.createOutgoingSess ion(LocalOutgoingServerSession.java:343)
at org.jivesoftware.openfire.session.LocalOutgoingServerSession.authenticateDomain (LocalOutgoingServerSession.java:167)
at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.sendPa cket(OutgoingSessionPromise.java:261)
at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.run(Ou tgoingSessionPromise.java:238)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Unknown Source)
at org.jivesoftware.openfire.net.TLSStreamHandler.doTasks(TLSStreamHandler.java:32 5)
at org.jivesoftware.openfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.jav a:235)
... 10 more
Caused by: java.security.cert.CertificateException: subject/issuer verification failed of [conference.jabber.org, jabber.org]. In certificate 2 of the chain, I expected the issuer to be 'CN=StartCom Class 2 Primary Intermediate Server CA, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL' but was 'CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL'.
at org.jivesoftware.openfire.net.ServerTrustManager.checkServerTrusted(ServerTrust Manager.java:140)
... 18 more
--
--
2013.04.08 22:02:01 org.jivesoftware.openfire.net.ServerTrustManager - Verifying certificate chain...
2013.04.08 22:02:01 org.jivesoftware.openfire.net.ServerTrustManager - Certificate 1 issuer: 'EMAILADDRESS=admin@daath.pl, CN=*.daath.pl, O=daath, ST=Mazowieckie, C=PL' subject: 'EMAILADDRESS=admin@daath.pl, CN=*.daath.pl, O=daath, ST=Mazowieckie, C=PL'
2013.04.08 22:02:01 org.jivesoftware.openfire.net.ServerTrustManager - Verifying certificate chain root certificate...
2013.04.08 22:02:01 org.jivesoftware.openfire.net.ServerTrustManager - Verifying certificate chain validity (by date)...
2013.04.08 22:02:01 org.jivesoftware.openfire.session.LocalOutgoingServerSession['daath.pl'] - TLS negotiation was successful.
2013.04.08 22:02:01 org.jivesoftware.openfire.session.LocalOutgoingServerSession['daath.pl'] - Offering dialback functionality: false
2013.04.08 22:02:01 org.jivesoftware.openfire.session.LocalOutgoingServerSession['daath.pl'] - Offering EXTERNAL SASL: true
2013.04.08 22:02:01 org.jivesoftware.openfire.session.LocalOutgoingServerSession['daath.pl'] - Is using a self-signed certificate: true
2013.04.08 22:02:01 org.jivesoftware.openfire.session.LocalOutgoingServerSession['daath.pl'] - As remote server is using self-signed certificate, SASL EXTERNAL is skipped. Attempting dialback over TLS instead.
2013.04.08 22:02:01 org.jivesoftware.openfire.session.LocalOutgoingServerSession['daath.pl'] - Trying to connecting using dialback over TLS.
2013.04.08 22:02:01 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Sent dialback key to host: daath.pl id: 210962183 from domain: talamasca.pl
2013.04.08 22:02:01 org.jivesoftware.openfire.net.BlockingAcceptingMode - Connect Socket[addr=/213.216.102.210,port=16259,localport=5269]
2013.04.08 22:02:02 org.jivesoftware.openfire.net.BlockingReadingMode - Connection closed before session establishedSocket[addr=/213.216.102.210,port=16259,localport=5269]
2013.04.08 22:02:34 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/83.144.74.202:51288] unwrap()
2013.04.08 22:02:34 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/83.144.74.202:51288] inNetBuffer: java.nio.DirectByteBuffer[pos=0 lim=58 cap=16665]
2013.04.08 22:02:34 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/83.144.74.202:51288] appBuffer: java.nio.DirectByteBuffer[pos=0 lim=33330 cap=33330]
2013.04.08 22:02:34 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/83.144.74.202:51288] Unwrap res:Status = OK HandshakeStatus = NOT_HANDSHAKING
bytesConsumed = 29 bytesProduced = 0
2013.04.08 22:02:34 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/83.144.74.202:51288] inNetBuffer: java.nio.DirectByteBuffer[pos=29 lim=58 cap=16665]
2013.04.08 22:02:34 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/83.144.74.202:51288] appBuffer: java.nio.DirectByteBuffer[pos=0 lim=33330 cap=33330]
2013.04.08 22:02:34 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/83.144.74.202:51288] Unwrap res:Status = OK HandshakeStatus = NOT_HANDSHAKING
bytesConsumed = 29 bytesProduced = 1
2013.04.08 22:02:34 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/83.144.74.202:51288] inNetBuffer: java.nio.DirectByteBuffer[pos=58 lim=58 cap=16665]
2013.04.08 22:02:34 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/83.144.74.202:51288] appBuffer: java.nio.DirectByteBuffer[pos=1 lim=33330 cap=33330]
2013.04.08 22:02:34 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/83.144.74.202:51288] Unwrap res:Status = BUFFER_UNDERFLOW HandshakeStatus = NOT_HANDSHAKING
bytesConsumed = 0 bytesProduced = 0
2013.04.08 22:02:34 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/83.144.74.202:51288] appBuffer: java.nio.DirectByteBuffer[pos=0 lim=1 cap=33330]
2013.04.08 22:02:34 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/83.144.74.202:51288] app data read: HeapBuffer[pos=0 lim=1 cap=1: 0A] (0A)
2013.04.08 22:02:34 org.apache.mina.filter.executor.ExecutorFilter - Launching thread for /83.144.74.202:51288
2013.04.08 22:02:34 org.apache.mina.filter.executor.ExecutorFilter - Exiting since queue is empty for /83.144.74.202:51288
2013.04.08 22:02:47 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/91.213.162.152:33709] Data Read:
2013.04.08 22:02:47 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/91.213.162.152:33709] unwrap()
2013.04.08 22:02:47 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/91.213.162.152:33709] inNetBuffer: java.nio.DirectByteBuffer[pos=0 lim=58 cap=16665]
2013.04.08 22:02:47 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/91.213.162.152:33709] appBuffer: java.nio.DirectByteBuffer[pos=0 lim=33330 cap=33330]
2013.04.08 22:02:47 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/91.213.162.152:33709] Unwrap res:Status = OK HandshakeStatus = NOT_HANDSHAKING
bytesConsumed = 29 bytesProduced = 0
2013.04.08 22:02:47 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/91.213.162.152:33709] inNetBuffer: java.nio.DirectByteBuffer[pos=29 lim=58 cap=16665]
2013.04.08 22:02:47 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/91.213.162.152:33709] appBuffer: java.nio.DirectByteBuffer[pos=0 lim=33330 cap=33330]
2013.04.08 22:02:47 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/91.213.162.152:33709] Unwrap res:Status = OK HandshakeStatus = NOT_HANDSHAKING
bytesConsumed = 29 bytesProduced = 1
2013.04.08 22:02:47 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/91.213.162.152:33709] inNetBuffer: java.nio.DirectByteBuffer[pos=58 lim=58 cap=16665]
2013.04.08 22:02:47 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/91.213.162.152:33709] appBuffer: java.nio.DirectByteBuffer[pos=1 lim=33330 cap=33330]
2013.04.08 22:02:47 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/91.213.162.152:33709] Unwrap res:Status = BUFFER_UNDERFLOW HandshakeStatus = NOT_HANDSHAKING
bytesConsumed = 0 bytesProduced = 0
2013.04.08 22:02:47 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/91.213.162.152:33709] appBuffer: java.nio.DirectByteBuffer[pos=0 lim=1 cap=33330]
2013.04.08 22:02:47 org.jivesoftware.openfire.nio.ClientConnectionHandler - [/91.213.162.152:33709] app data read: HeapBuffer[pos=0 lim=1 cap=1: 0A] (0A)
2013.04.08 22:02:47 org.apache.mina.filter.executor.ExecutorFilter - Launching thread for /91.213.162.152:33709
2013.04.08 22:02:47 org.apache.mina.filter.executor.ExecutorFilter - Exiting since queue is empty for /91.213.162.152:33709
--
And when i turn on dialback:
xmpp.server.dialback.enabled true
i get those errors:
2013.04.08 22:14:38 org.jivesoftware.openfire.net.ServerTrustManager - Verifying certificate chain root certificate...
2013.04.08 22:14:38 org.jivesoftware.openfire.net.ServerTrustManager - Verifying certificate chain validity (by date)...
2013.04.08 22:14:38 org.jivesoftware.openfire.session.LocalOutgoingServerSession['daath.pl'] - TLS negotiation was successful.
2013.04.08 22:14:38 org.jivesoftware.openfire.session.LocalOutgoingServerSession['daath.pl'] - Offering dialback functionality: false
2013.04.08 22:14:38 org.jivesoftware.openfire.session.LocalOutgoingServerSession['daath.pl'] - Offering EXTERNAL SASL: true
2013.04.08 22:14:38 org.jivesoftware.openfire.session.LocalOutgoingServerSession['daath.pl'] - Is using a self-signed certificate: true
2013.04.08 22:14:38 org.jivesoftware.openfire.session.LocalOutgoingServerSession['daath.pl'] - As remote server is using self-signed certificate, SASL EXTERNAL is skipped. Attempting dialback over TLS instead.
2013.04.08 22:14:38 org.jivesoftware.openfire.session.LocalOutgoingServerSession['daath.pl'] - Trying to connecting using dialback over TLS.
2013.04.08 22:14:38 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Sent dialback key to host: daath.pl id: 3157452682 from domain: talamasca.pl
2013.04.08 22:16:38 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Time out waiting for answer in validation from: daath.pl id: 3157452682 for domain: talamasca.pl
2013.04.08 22:16:38 org.jivesoftware.openfire.session.LocalOutgoingServerSession['daath.pl'] - Dialback over TLS failed
2013.04.08 22:16:38 org.jivesoftware.openfire.session.LocalOutgoingServerSession - LocalOutgoingServerSession: OS - Going to try connecting using server dialback with: daath.pl
2013.04.08 22:16:38 org.jivesoftware.openfire.server.OutgoingServerSocketReader - OutgoingServerSocketReader: Finishing Outgoing Server Reader. No session to close.
java.net.SocketException: Socket closed
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.read(Unknown Source)
at org.jivesoftware.openfire.net.ServerTrafficCounter$InputStreamWrapper.read(Serv erTrafficCounter.java:221)
at java.nio.channels.Channels$ReadableByteChannelImpl.read(Unknown Source)
at org.jivesoftware.openfire.net.TLSStreamReader.doRead(TLSStreamReader.java:78)
at org.jivesoftware.openfire.net.TLSStreamReader.access$000(TLSStreamReader.java:3 6)
at org.jivesoftware.openfire.net.TLSStreamReader$1.read(TLSStreamReader.java:171)
at sun.nio.cs.StreamDecoder.readBytes(Unknown Source)
at sun.nio.cs.StreamDecoder.implRead(Unknown Source)
at sun.nio.cs.StreamDecoder.read(Unknown Source)
at java.io.InputStreamReader.read(Unknown Source)
at org.xmlpull.mxp1.MXParser.fillBuf(MXParser.java:2992)
at org.xmlpull.mxp1.MXParser.more(MXParser.java:3046)
at org.jivesoftware.openfire.net.MXParser.more(MXParser.java:373)
at org.jivesoftware.openfire.net.MXParser.nextImpl(MXParser.java:85)
at org.xmlpull.mxp1.MXParser.nextToken(MXParser.java:1100)
at org.dom4j.io.XMPPPacketReader.parseDocument(XMPPPacketReader.java:317)
at org.jivesoftware.openfire.server.OutgoingServerSocketReader$1.run(OutgoingServe rSocketReader.java:105)
2013.04.08 22:16:38 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Trying to connect to daath.pl:5269(DNS lookup: daath.pl:5269)
2013.04.08 22:16:38 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Connection to daath.pl:5269 successful
2013.04.08 22:16:38 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Sent dialback key to host: daath.pl id: 593371312 from domain: talamasca.pl
Do you have any suggestions ?