C2S ssl doesn't appear to work.

Details

  • Type: Bug Bug
  • Status: Open Open
  • Priority: Blocker Blocker
  • Resolution: Unresolved
  • Affects Version/s: 3.7.0
  • Fix Version/s: None
  • Component/s: Core
  • Labels:
    None
  • Acceptance Test - Add?:
    No

Description

To reproduce:

configure Openfire to require secure client connections.

Configure a client that has SSL but not TLS (eg Kopete) and try to connect.

Result: connection fails - nothing is logged.

Clients that support TLS can connect

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Timo Harder added a comment -

I debuged this and saw there is a Problem with the SSL Chiphers: The DHE Chipers are broken. Other SSL Chiphers works without Problems.
Using:
openssl s_client -connect $Jabberserverhostname:5223 -cipher ECDHE-RSA-AES128-SHA it works.
If I use: openssl s_client -connect $Jabberserverhostname:5223 -cipher DHE-RSA-AES128-SHA
I get this:

CONNECTED(00000004)
depth=3 C = DE, O = Deutsche Telekom AG, OU = T-TeleSec Trust Center, CN = Deutsche Telekom Root CA 2
verify error:num=19:self signed certificate in certificate chain
verify return:0

After this the Connection dies.

Show
Timo Harder added a comment - I debuged this and saw there is a Problem with the SSL Chiphers: The DHE Chipers are broken. Other SSL Chiphers works without Problems. Using: openssl s_client -connect $Jabberserverhostname:5223 -cipher ECDHE-RSA-AES128-SHA it works. If I use: openssl s_client -connect $Jabberserverhostname:5223 -cipher DHE-RSA-AES128-SHA I get this: CONNECTED(00000004) depth=3 C = DE, O = Deutsche Telekom AG, OU = T-TeleSec Trust Center, CN = Deutsche Telekom Root CA 2 verify error:num=19:self signed certificate in certificate chain verify return:0 After this the Connection dies.
Hide
Permalink
Timo Harder added a comment -

FTR: I am using Openfire 3.7.0 on OpenSolaris

Show
Timo Harder added a comment - FTR: I am using Openfire 3.7.0 on OpenSolaris
Hide
Permalink
Marcin Cieślak added a comment -

I just tested those openssl commands against openfire server 3.7.1 r12905 (trunk) running on FreeBSD/amd64 on both "diablo" (Sun) JDK 1.6.0 as well as a recent OpenJDK 6

Diablo Java(TM) SE Runtime Environment (build 1.6.0_07-b02)
Diablo Java HotSpot(TM) 64-Bit Server VM (build 10.0-b23, mixed mode)

I have "Unlimited Strength Policy Files" installed.

Show
Marcin Cieślak added a comment - I just tested those openssl commands against openfire server 3.7.1 r12905 (trunk) running on FreeBSD/amd64 on both "diablo" (Sun) JDK 1.6.0 as well as a recent OpenJDK 6 Diablo Java(TM) SE Runtime Environment (build 1.6.0_07-b02) Diablo Java HotSpot(TM) 64-Bit Server VM (build 10.0-b23, mixed mode) I have "Unlimited Strength Policy Files" installed.
Hide
Permalink
Marcin Cieślak added a comment -

And I forgot to add: I can connect with 5223 with ECDHE-RSA-AES128-SHA as well.

Show
Marcin Cieślak added a comment - And I forgot to add: I can connect with 5223 with ECDHE-RSA-AES128-SHA as well.
Hide
Permalink
Neustradamus added a comment -

Note: 5223 was removed in the XMPP protocol since beginning. It can be removed.

Show
Neustradamus added a comment - Note: 5223 was removed in the XMPP protocol since beginning. It can be removed.
Hide
Permalink
Guus der Kinderen added a comment -

If I apply Timo's debug to xmpp.igniterealtime.org, I'm not getting any error either. Timo, is there a chance that the problem is local to your instance?

Show
Guus der Kinderen added a comment - If I apply Timo's debug to xmpp.igniterealtime.org, I'm not getting any error either. Timo, is there a chance that the problem is local to your instance?

People

  • Assignee:
    Guus der Kinderen
    Reporter:
    David Horwitz
Vote (4)
Watch (2)

Dates

  • Created:
    Updated: