Here is a lot of problems, and all of this dance around rsa and dsa certificates.
All tests were conducted on a centos minimal, created a special for openfire deployment - so, any software conflict is impossible.
Without TLS\SSL openfire's s2s works fine, but, if i on "Accept self-signed certificates. Server dialback over TLS is now available." - we got a problems:
Incoming secure connections works fine - server handles them correctly , and I get the messages.
But outgoing - cause errors such as "404 not found" and "Handshake Error". And we can conclude that the problem in the algorithm of outgoing secure connection or handler certificates.
I tried to install my self-signed certificates(via import), but in this case I only get an additional error - "certificate does not belong to a domain ."
I tried to sign my certificate using a query that gave me openfire - signed certificate was sucessfully installed, but it did not solve the problem.
Looks like that we have global outgoing secured connetcion issue. I test it with 15 servers, including jabber.org
In 3.9.1 this problem in not presented, so i downgraid it(centOS x86_64 - all fine, .rpm)