Feed for content matching tag 'security'

webmaster@jivesoftware.com — Thu, 01 Jan 1970 00:00:00 GMT

I run two openfire servers, which recently have been certificated through GoDaddy so that we can remove the requirements for no-auth on certificates, and reject self-signed certificates. One thing that has gotten me lately is why two the two servers are not talking to each other.

One server runs an AD authentication on an internal network across a firewall. Inside and outside the company, my users can connect just fine. However, this server will not initiate a connection to my other server outside the AD domain, outside the network. I've snagged this from the error log on the AD jabber server:

2008.07.08 10:16:03

org.jivesoftware.openfire.net.SocketReadingMode.negotiateTLS(SocketReadingMode.j ava:77)

Error while negotiating TLS:

org.jivesoftware.openfire.net.SocketConnection@682ef9 socket:

Socket[http://addr=/64.151.114.100,port=40797,localport=5269|http://addr=/64.151.114.10 0,port=40797,localport=5269] session:

org.jivesoftware.openfire.session.LocalIncomingServerSession@b14eb

status: 1 address: servepath.com/51155dfe id: 51155dfe

javax.net.ssl.SSLException: Unsupported record version Unknown-47.115at com.sun.net.ssl.internal.ssl.EngineInputRecord.bytesInCompletePacket(EngineInpu tRecord.java:97)at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:754 )at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:669)at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:607)at org.jivesoftware.openfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.jav a:212)at org.jivesoftware.openfire.net.TLSStreamHandler.start(TLSStreamHandler.java:158) at org.jivesoftware.openfire.net.SocketConnection.startTLS(SocketConnection.java:1 66)at org.jivesoftware.openfire.net.SocketReadingMode.negotiateTLS(SocketReadingMode. java:74)at org.jivesoftware.openfire.net.BlockingReadingMode.readStream(BlockingReadingMod e.java:127)at org.jivesoftware.openfire.net.BlockingReadingMode.run(BlockingReadingMode.java: 63)at org.jivesoftware.openfire.net.SocketReader.run(SocketReader.java:120)at java.lang.Thread.run(Thread.java:619)

Now, 64.151.114.100 is the right server, and it is one of the IPs that I have assigned to it, but that server also has four other IPs, one of which I've assigned to openfire and that's 69.59.146.86. I've specified in my openfire.xml the network designation:

</network>

I did make sure the commenting was removed, and I have restarted my jabber server. I've made sure that all records are going to the right place, so here are my SRV entries too:

xmpp-server.tcp.cat6wired.net. 14400 IN SRV 0 0 5269 secure.cat6wired.net.

jabber.tcp.cat6wired.net. 14400 IN SRV 0 0 5269 secure.cat6wired.net.

xmpp-client.tcp.cat6wired.net. 14400 IN SRV 0 0 5222 secure.cat6wired.net.

secure.cat6wired.net. 14400 IN A 69.59.146.86

Now as I understand it, SRV records shouldn't matter in this case, becase this server is actually hosting my domain records for the domain in question (cat6wired.net). This server acts as the ns (ns3 and ns4), and a dig on the srv records will show the full info which I won't paste here.

What I'm wondering, is why does the AD jabber server persistently think that the server its connecting to is the address 64.151.114.100? Shouldn't it connect to address 69.59.146.86? Am I going to have to hack the AD box and put in an entry into /etc/hosts to patch this? Help is appreciated.

~Brian

webmaster@jivesoftware.com — Thu, 01 Jan 1970 00:00:00 GMT

Hi,

openfire 3.6, openldap auth, on centos 5.2 x86_64

I have a working setup but I have a problem in understanding how to name my certificate:

servername:

talk.example.com

certificate view in the admin console:

1.	*.talk.example.com (talk.example.com_dsa)	Aug 8, 2013		Self signed	DSA
2.	talk.example.com (importkey)	Aug 29, 2010		Pending Verification	RSA

I don't know why I have two certs here. It was quite a struggling to import the cert in the keystore by the way. Should I remove one of them ?

DNS SRV Record (bind9):

_xmpp-server._tcp.example.com. 86400 IN SRV 10 0 5269 talk.example.com.
_xmpp-client._tcp.example.com. 86400 IN SRV 10 0 5222 talk.example.com.

Client (adium on mac osx but it should not really matter) configuration:

username: user@example.com

As I am using DNS SRV records I dont need to specify a server name (right ?). I need Strict cert checking to be enable.

And here is my problem: When I connect, the client say:

"This certificate is not valid (host name mismatch)".

As I don't want to say to my users to ignore such message, how should I rename my server or my cert to bypass this problem ?

I've tried to rename the server to just example.com but then I cannot log in the admin console.

Also, is it normal that connected users appear as user@talk.example.com instead of user@example.com ?

And when I try a file transfert, the transfert is directed to user@talk.example.com instead of user@exampe.com. I think my openfire is messing with user name's domain: I can log with user@example but for openfire it is user@talk.example and everything break after this.

Thanks a lot for any help.

webmaster@jivesoftware.com — Thu, 01 Jan 1970 00:00:00 GMT

I am surprised there is no way to audit or archive file transfers via OpenFire.

I would accept filename, sender, and receiver - not necessarily to archive.

Anyone know how to do this?

We want to leave file transfers enabled but need to know how to audit them.

Cheers!

Dan

webmaster@jivesoftware.com — Thu, 01 Jan 1970 00:00:00 GMT

Using an chat bot client, I came to aquire a bad user entry in the Openfire database that I can't remove via the admin interface. This entry is conflicting with the actual user's account and that user can no longer log in.

Steps to reproduce (some may not be necessary)...

Version 3.5.2 Openfire using authentication configured against an Active Directory LDAP
All users are also part of an LDAP group
Enable contact list group sharing on that group with a group name like 'All'
Create a user in the active directory called Howie
Make Howie a member of the affore mentioned AD group containing all users
Refresh Openfire until is picks up the new user and Howie can log in
Install 'Howie the Chatterbot' on a client PC
Configure howie.ini to connect with the Howie user credentials, but leave the line 'resource = default' as is
Run the howie client

Result:

The Howie user no longer appears in the Openfire User Summary page and the user can not login
On the Group Summary for the 'All' group, the user appears as default@your.server.com and is not hyperlinked (see attachment)
Since the group is readonly, you can't purge it and pick it up from AD again
No amount of clearing cache or changin LDAP connection settings or restarting the server fixes the issue

I'm assuming that the Howie client tried to login using the correct credentials but for some reason then identified itself as default@your.server.com which confused Openfire which renamed the user and flagged it as a remote user. Since this isn't supposed to happen, there is no feature in the interface to purge that incorrect user data.

Possible security issue as it completely locks that user out of the system. I'm not sure if the problem would have occured even if the wrong user credentials were entered, but I can test this and if so that's a big concern. There is not even anyway for the administrator to fix the problem as far as I can tell (other than completely reinstalling Openfire).

webmaster@jivesoftware.com — Thu, 01 Jan 1970 00:00:00 GMT

Hello,

i installed to Openfire 3.5.1 with the .deb packages on Ubuntu hardy and created with the admin console self signed ssl certificates.

Now i got a lof of these exceptions:

2008.04.27 11:58:40 org.jivesoftware.openfire.net.TLSWrapper.<init>(TLSWrapper.java:114) TLSHandler startup problem.

&n bsp; the KeyStore or TrustStore does not exist

&n bsp; java.io.IOException

&n bsp; at org.jivesoftware.openfire.net.SSLConfig.gets2sTrustStore(SSLConfig.java:279)

&n bsp; at org.jivesoftware.openfire.net.TLSWrapper.<init>(TLSWrapper.java:73)

&n bsp; at org.jivesoftware.openfire.net.TLSStreamHandler.<init>(TLSStreamHandler.ja va:97)

&n bsp; at org.jivesoftware.openfire.net.SocketConnection.startTLS(SocketConnection.java:1 60)

&n bsp; at org.jivesoftware.openfire.net.SocketReadingMode.negotiateTLS(SocketReadingMode. java:74)

&n bsp; at org.jivesoftware.openfire.net.BlockingReadingMode.readStream(BlockingReadingMod e.java:127)

&n bsp; at org.jivesoftware.openfire.net.BlockingReadingMode.run(BlockingReadingMode.java: 63)

&n bsp; at org.jivesoftware.openfire.net.SocketReader.run(SocketReader.java:120)

&n bsp; at java.lang.Thread.run(Thread.java:619)

&n bsp; 2008.04.27 11:58:41 org.jivesoftware.openfire.net.TLSWrapper.<init>(TLSWrapper.java:114) TLSHandler startup problem.

&n bsp; the KeyStore or TrustStore does not exist

&n bsp; java.io.IOException

&n bsp; at org.jivesoftware.openfire.net.SSLConfig.gets2sTrustStore(SSLConfig.java:279)

&n bsp; at org.jivesoftware.openfire.net.TLSWrapper.<init>(TLSWrapper.java:73)

&n bsp; at org.jivesoftware.openfire.net.TLSStreamHandler.<init>(TLSStreamHandler.ja va:97)

&n bsp; at org.jivesoftware.openfire.net.SocketConnection.startTLS(SocketConnection.java:1 60)

&n bsp; at org.jivesoftware.openfire.session.LocalOutgoingServerSession.secureAndAuthentic ate(LocalOutgoingServerSession.java:370)

&n bsp; at org.jivesoftware.openfire.session.LocalOutgoingServerSession.createOutgoingSess ion(LocalOutgoingServerSession.java:303)

&n bsp; at org.jivesoftware.openfire.session.LocalOutgoingServerSession.authenticateDomain (LocalOutgoingServerSession.java:144)

&n bsp; at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.sendPa cket(OutgoingSessionPromise.java:215)

&n bsp; at org.jivesoftware.openfire.server.OutgoingSessionPromise$PacketsProcessor.run(Ou tgoingSessionPromise.java:194)

&n bsp; at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java: 885)

&n bsp; at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:907)

&n bsp; at java.lang.Thread.run(Thread.java:619)

&n bsp; 2008.04.27 11:58:41 org.jivesoftware.openfire.session.LocalOutgoingServerSession.createOutgoingSessi on(LocalOutgoingServerSession.java:339) Error creating secured outgoing session to remote server: im.rajango.net(DNS lookup: im.rajango.net:5269)

&n bsp; java.lang.NullPointerException

&n bsp; at org.jivesoftware.openfire.net.TLSStreamHandler.<init>(TLSStreamHandler.ja va:114)