Channel: Ignite Realtime : Discussion List - All Communities
Viewing all articles
Browse latest Browse all 10742

problems with s2s tls dialback and or ssl


Hi there!

I'm having problems with my openfire server connecting to some ejabberd servers of my friends.

When I figured that out we began to troubleshoot the situation, and found some things that we were not able to understand.

First of all, I'm running 3.9.3 on a Ubuntu 14.04.1 LTS Server with openjdk 1.7.0_65.

My certs are from startssl and if I check my server with xmpp.net tests, it gets ranked A / A (client / server tests).

This makes me feel like "the things can't be that bad"...


However, this is what I got in my Logs when I try to connect to his machine.

I'd like to point out that he also uses startssl! (same issuer, trust shouldn't be a problem, right?)


2015.01.15 23:14:30 org.jivesoftware.openfire.server.ServerDialback - ServerDialback: OS - Ignoring unexpected answer in validation from: DOMAIN_Destination id: 501370331 for domain: MYDOMAIN answer:<stream:features xmlns:stream="http://etherx.jabber.org/streams"><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required/></starttls><c xmlns="http://jabber.org/protocol/caps" hash="sha-1" node="http://www.process-one.net/en/ejabberd/" ver="Wp7ET2I/GHFNMXYNss2TwKkSrVc="/></stream:features> 
   2015.01.15 23:14:30 org.jivesoftware.openfire.server.ServerDialback - Error verifying key of remote server: DOMAIN_Destination


After stumbling about this error msges we googled a bit and found this thread: (SORRY, ITS IN GERMAN LANGUAGE)

https://www.kernel-error.de/kernel-error-blog/305-jabber-404-remote-server-not-f ound-openfire


The author of the thread describes the same error msges as I have and pins it down to a missing intermediate cert.

However xmpp.net tells me my intermediate cert is there and proper. If I run the command the author pointed out:


openssl s_client -showcerts -connect MYDOMAIN:5222 -starttls xmpp


openssl gives me neither certs nor intermediate certs. (...but this seems to be a bug in openssl)

(can someone verify this with its own openfire server?)


Also, if i check the truststore manually it looks good:


keytool -list -keystore truststore | grep start

startcom.ca.sub.class1, 10.04.2011, trustedCertEntry,

startcom.ca, 10.04.2011, trustedCertEntry,

startcom.ca.sub2, 15.01.2015, trustedCertEntry,

startcom, 30.01.2007, trustedCertEntry,


Any Ideas why I get those error msges?

Any Idea how to fix this behavior?


I'd like to get rid of the "Error verifying key of remote server" and the "ServerDialback: OS - Ignoring unexpected answer" msges.

Kind regards!


Viewing all articles
Browse latest Browse all 10742

Trending Articles