Up to Discussions in Openfire Support

This Question is Not Answered

1 "correct" answer available (10 pts) 2 "helpful" answers available (5 pts)
1 Replies Last post: May 13, 2008 4:12 AM by Mark Straver  
Mark Straver Bronze
Mark Straver
47 posts since
May 11, 2008
Currently Being Moderated

May 12, 2008 4:57 AM

SSL Connection problems

 

I've recently been working on getting a CA signed certificate installed in Openfire, requested through XMPP.net and it seems to "partially" work, but still keeps giving issues apparently.

 

 

What I mean with "partially" is the fact that the certificate is accepted as CA signed and installed properly in the keystore, the web admin interface successfully negotiates SSL, and presents a verified certificate in my browser. The client connection on 5223 also works without errors (nothing in the logs apart from regular authentication realm information in debug.log). What doesn't seem to work as it should is s2s connections, which uses a fallback (if I understood correctly) to server dialback in most cases, and the hostname in openfire is not accepted as valid (error is displayed for AltName). Some log excerpts below:

 

-

Outgoing server connection (debug log):

2008.05.12 06:12:38 LocalOutgoingServerSession: OS - Trying to connect to jabber.org:5269(DNS lookup: jabber.org:5269)

             &n bsp; 2008.05.12 06:12:39 LocalOutgoingServerSession: OS - Plain connection to jabber.org:5269 successful           &nb sp;   2008.05.12 06:12:39 LocalOutgoingServerSession: OS - Indicating we want TLS to jabber.org           &nb sp;   2008.05.12 06:12:40 LocalOutgoingServerSession: OS - Negotiating TLS with jabber.org*           &n bsp;   2008.05.12 06:12:40

             &n bsp; CertificateManager: SubjectAltName of invalid type found:

             &n bsp; EMAILADDRESS=hostmaster@jabber.org, CN=jabber.org, CN=*.jabber.org,

             &n bsp; OU=Domain validated only, O=XMPP Standards Foundation, L=Denver,

             &n bsp; ST=Colorado, C=US*

*             & nbsp; 2008.05.12 06:12:40

             &n bsp; CertificateManager: SubjectAltName of invalid type found:

             &n bsp; EMAILADDRESS=hostmaster@jabber.org, CN=jabber.org, CN=*.jabber.org,

             &n bsp; OU=Domain validated only, O=XMPP Standards Foundation, L=Denver,

             &n bsp; ST=Colorado, C=US*

             &n bsp; 2008.05.12 06:12:43 LocalOutgoingServerSession: OS - TLS negotiation with jabber.org was successful           &nb sp;   2008.05.12 06:12:45 LocalOutgoingServerSession: OS - Error, no SASL mechanisms were offered by jabber.org           &nb sp;   2008.05.12 06:12:45 LocalOutgoingServerSession: OS - Going to try connecting using server dialback with: jabber.org           &nb sp;   2008.05.12 06:12:45 ServerDialback: OS - Trying to connect to jabber.org:5269(DNS lookup: jabber.org:5269)          &nb sp;    2008.05.12 06:12:55 ServerDialback: OS - Connection to jabber.org:5269 successful           &nb sp;   2008.05.12 06:12:55 ServerDialback: OS - Sent dialback key to host: jabber.org id: 3409094653 from domain: jabber.wolfbeast.com         &nbsp ;     2008.05.12 06:12:59 Connect Socket[http://addr=/208.68.163.214,port=39719,localport=5269

http://addr=/208.68.163.214,port=39719,localport=5269]             & nbsp; 2008.05.12 06:13:02 ServerDialback: RS - Received dialback key from host: jabber.org to: jabber.wolfbeast.com         &nbsp ;     2008.05.12 06:13:02 ServerDialback: RS - Trying to connect to Authoritative Server: jabber.org:5269(DNS lookup: jabber.org:5269)          &nb sp;    2008.05.12 06:13:06 ServerDialback: RS - Connection to AS: jabber.org:5269 successful           &nb sp;   2008.05.12 06:13:06 ServerDialback: RS - Asking AS to verify dialback key for id6d7daf8c           &nb sp;   2008.05.12 06:13:07 ServerDialback: RS - Key was VERIFIED by the Authoritative Server for: jabber.org           &nb sp;   2008.05.12 06:13:07 ServerDialback: RS - Closing connection to Authoritative Server: jabber.org           &nb sp;   2008.05.12 06:13:07 ServerDialback: RS - Sending key verification result to OS: jabber.org           &nb sp;   2008.05.12 06:13:07 ServerDialback: AS - Verifying key for host: jabber.org id: 3409094653           &nb sp;   2008.05.12 06:13:07 ServerDialback: AS - Key was: VALID for host: jabber.org id: 3409094653           &nb sp;   2008.05.12 06:13:14 ServerDialback: OS - Validation GRANTED from: jabber.org id: 3409094653 for domain: jabber.wolfbeast.com

 

I get the same SubjectAltName error on my own certificate that was supplied by XMPP in the same way.

 

-

Incoming server connection (error log):

2008.05.12 01:00:48 [org.jivesoftware.openfire.net.SocketReadingMode.negotiateTLS(SocketReadingMode .java:77)

             &n bsp; ]Error while negotiating TLS:

             &n bsp; org.jivesoftware.openfire.net.SocketConnection@c5294d socket:

             &n bsp; Socket[http://addr=/194.109.23.90,port=56318,localport=5269

http://addr=/194.109.23.90,port=56318,localport=5269] session:

             &n bsp; org.jivesoftware.openfire.session.LocalIncomingServerSession@1066d88

             &n bsp; status: 1 address: jabber.wolfbeast.com/c3fd3030 id: c3fd3030

             &n bsp; javax.net.ssl.SSLException: Unsupported record version Unknown-47.115

             &n bsp; at com.sun.net.ssl.internal.ssl.EngineInputRecord.bytesInCompletePacket(Unknown Source)                at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(Unknown Source)                at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(Unknown Source)                at javax.net.ssl.SSLEngine.unwrap(Unknown Source)                at org.jivesoftware.openfire.net.TLSStreamHandler.doHandshake(TLSStreamHandler.jav a:212)            &n bsp;  at org.jivesoftware.openfire.net.TLSStreamHandler.start(TLSStreamHandler.java:158)              &n bsp; at org.jivesoftware.openfire.net.SocketConnection.startTLS(SocketConnection.java:1 66)            &nbsp ;  at org.jivesoftware.openfire.net.SocketReadingMode.negotiateTLS(SocketReadingMode. java:74)                at org.jivesoftware.openfire.net.BlockingReadingMode.readStream(BlockingReadingMod e.java:127)           &nb sp;   at org.jivesoftware.openfire.net.BlockingReadingMode.run(BlockingReadingMode.java: 63)            &nbsp ;  at org.jivesoftware.openfire.net.SocketReader.run(SocketReader.java:120) &nbs p;              at java.lang.Thread.run(Unknown Source)

 

debug log for the same:

 

2008.05.12 01:00:48 Connect Socket[http://addr=/194.109.23.90,port=56318,localport=5269

http://addr=/194.109.23.90,port=56318,localport=5269]

             &n bsp; 2008.05.12 01:00:49 Connect Socket[http://addr=/194.109.23.90,port=59780,localport=5269

http://addr=/194.109.23.90,port=59780,localport=5269]             & nbsp; 2008.05.12 01:00:49 ServerDialback: RS - Received dialback key from host: jabber.xs4all.nl to: jabber.wolfbeast.com         &nbsp ;     2008.05.12 01:00:49 ServerDialback: RS - Trying to connect to Authoritative Server: jabber.xs4all.nl:5269(DNS lookup: jabber.xs4all.nl:5269)         &nb sp;     2008.05.12 01:00:49 ServerDialback: RS - Connection to AS: jabber.xs4all.nl:5269 successful           &nb sp;   2008.05.12 01:00:49 ServerDialback: RS - Asking AS to verify dialback key for id88391ee6           &nb sp;   2008.05.12 01:00:49 ServerDialback: RS - Key was VERIFIED by the Authoritative Server for: jabber.xs4all.nl          &nb sp;    2008.05.12 01:00:49 ServerDialback: RS - Closing connection to Authoritative Server: jabber.xs4all.nl          &nb sp;    2008.05.12 01:00:49 ServerDialback: RS - Sending key verification result to OS: jabber.xs4all.nl          &nb sp;    2008.05.12 01:00:49

             &n bsp; 001077 (01/03/00) - #3 registered a statement as closed which wasn't

             &n bsp; known to be open. This could happen if you close a statement twice.              & nbsp; 2008.05.12 01:00:49 Connection closed before session established

             &n bsp; Socket[http://addr=/194.109.23.90,port=56318,localport=5269

http://addr=/194.109.23.90,port=56318,localport=5269]             & nbsp; 2008.05.12 01:11:23

             &n bsp; Logging off jabber.xs4all.nl on

             &n bsp; org.jivesoftware.openfire.net.SocketConnection@1011f1f socket:

             &n bsp; Socket[http://addr=/194.109.23.90,port=59780,localport=5269

http://addr=/194.109.23.90,port=59780,localport=5269] session:

             &n bsp; org.jivesoftware.openfire.session.LocalIncomingServerSession@122f17b

             &n bsp; status: 1 address: jabber.xs4all.nl id: 88391ee6

 

-

I'm not sure if the incoming server connection error is a problem my end or a problem at xs4all. And I'm not a java programmer so I have no clue about most of these statements here...

 

 

Some help appreciated!

 

 

  Mark.

 

 

 

 

 

Tags: ssl, tls, certificate, s2s
Mark Straver Bronze
Mark Straver
47 posts since
May 11, 2008
Currently Being Moderated
May 13, 2008 6:52 AM in response to: Mark Straver
Re: SSL Connection problems

I checked some more, with certificate verification disabled (xmpp.server.certificate.verify to false) to see if that was the problem, and got the following debug output:

 

2008.05.13 09:01:22 LocalOutgoingServerSession: OS - Trying to connect to jabber.org:5269(DNS lookup: jabber.org:5269)

2008.05.13 09:01:22 LocalOutgoingServerSession: OS - Plain connection to jabber.org:5269 successful

2008.05.13 09:01:22 LocalOutgoingServerSession: OS - Indicating we want TLS to jabber.org

2008.05.13 09:01:22 LocalOutgoingServerSession: OS - Negotiating TLS with jabber.org

2008.05.13 09:01:23 LocalOutgoingServerSession: OS - TLS negotiation with jabber.org was successful 2008.05.13 09:01:23 LocalOutgoingServerSession: OS - Error, no SASL mechanisms were offered by jabber.org

2008.05.13 09:01:23 LocalOutgoingServerSession: OS - Going to try connecting using server dialback with: jabber.org

2008.05.13 09:01:23 ServerDialback: OS - Trying to connect to jabber.org:5269(DNS lookup: jabber.org:5269)

2008.05.13 09:01:24 ServerDialback: OS - Connection to jabber.org:5269 successful

2008.05.13 09:01:24 ServerDialback: OS - Sent dialback key to host: jabber.org id: 2432375269 from domain: jabber.wolfbeast.com

2008.05.13 09:01:24 Connect Socket[http://addr=/208.68.163.214,port=51372,localport=5269]

2008.05.13 09:01:24 ServerDialback: RS - Received dialback key from host: jabber.org to: jabber.wolfbeast.com

2008.05.13 09:01:24 ServerDialback: RS - Trying to connect to Authoritative Server: jabber.org:5269(DNS lookup: jabber.org:5269)

2008.05.13 09:01:25 ServerDialback: RS - Connection to AS: jabber.org:5269 successful

2008.05.13 09:01:25 ServerDialback: RS - Asking AS to verify dialback key for id809aa740

2008.05.13 09:01:25 ServerDialback: RS - Key was VERIFIED by the Authoritative Server for: jabber.org

2008.05.13 09:01:25 ServerDialback: RS - Closing connection to Authoritative Server: jabber.org

2008.05.13 09:01:25 ServerDialback: RS - Sending key verification result to OS: jabber.org

2008.05.13 09:01:25 ServerDialback: AS - Verifying key for host: jabber.org id: 2432375269

2008.05.13 09:01:25 ServerDialback: AS - Key was: VALID for host: jabber.org id: 2432375269

2008.05.13 09:01:25 ServerDialback: OS - Validation GRANTED from: jabber.org id: 2432375269 for domain: jabber.wolfbeast.com

 

 

 

 

So, it seems TLS is negotiated successfully at first (unless I misunderstand the output here), but then it's discarded and a plaintext dialback is used instead?

Any ideas why?

 

 

Why is SASL required for s2s in a public network anyway? Is there a way to disable this in openfire?

Report Abuse

More Like This

  • Retrieving data ...