Ive modified (with some help from Gato) openfire to handle EXTERNAL auth for c2s connections (its in trunk if you want to see).  The problem so far is clients- Smack dosnt handle EXTERNAL auth correctly, thus neither does Spark. That makes it a bit harder to test things.  Ive found tkabber correctly handles sending client certificates on SSL/TLS connections, and was easy enough to modify to deal with EXTERNAL auth.  The problem is, after a successful authentication, the connection gets dropped. 

Gato: this is mostly for you, but anyone else might have some insight is welcome to chime in.

How do I go about tracking this problem down? There is nothing in the logs after the successful auth.