Uploaded image for project: 'Openfire'
  1. Openfire
  2. OF-443

S2S doesn't work (dialback broken)

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 3.7.0
    • Fix Version/s: 3.7.1, 3.8.0
    • Component/s: Core
    • Labels:
      None

      Description

      Many users report that S2S isn't working for them anymore after the upgrade to 3.7.0.

      "After further testing, I've found that 3.7.0 will no successfully negotiate dialback connections with other systems also running 3.7.0. These connections also log an error like:

      2011.03.04 15:45:53 ServerDialback: OS - Unexpected answer in validation from: ee.washington.edu id: 5b589264 for domain: dragonsdawn.net answer:<stream:features xmlns:stream="http://etherx.jabber.org/streams"><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/><dialback xmlns="urn:xmpp:features:dialback"/><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"/></stream:features>"

      also http://community.igniterealtime.org/message/210452#210452

        Attachments

          Activity

          Hide
          saper Marcin Cieślak added a comment -

          With the ancient server in question it works - it does not like version="1.0" only in responses to its own greeting.

          I run openfire trunk for myself for my daily use and I keep s2s connections to:

          jabber.org
          igniterealtime.org
          gmail.com
          the one making trouble - non public
          another non public making sometimes trouble with s2s
          7thguard.net
          chrome.pl

          but I have added two s2s contacts for my accounts at

          amessage.de
          jabber.wp.pl

          and yes, it seems it does not get through. Not sure how the last one works with s2s. Amessage is occasionally making s2s trouble with some servers.

          I have no access to any older Openfire instance right now.

          Show
          saper Marcin Cieślak added a comment - With the ancient server in question it works - it does not like version="1.0" only in responses to its own greeting. I run openfire trunk for myself for my daily use and I keep s2s connections to: jabber.org igniterealtime.org gmail.com the one making trouble - non public another non public making sometimes trouble with s2s 7thguard.net chrome.pl but I have added two s2s contacts for my accounts at amessage.de jabber.wp.pl and yes, it seems it does not get through. Not sure how the last one works with s2s. Amessage is occasionally making s2s trouble with some servers. I have no access to any older Openfire instance right now.
          Hide
          saper Marcin Cieślak added a comment -

          I have quickly checked breaking session - amessage.de fails on TLS/SSL negotiation

          2011.12.16 23:47:12 org.jivesoftware.openfire.net.SocketConnection - Error retrieving client certificates of: [Session-31, TLS_RSA_WITH_AES_256_CBC_SHA]
          javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
                  at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:371)
                  at org.jivesoftware.openfire.net.SocketConnection.getPeerCertificates(SocketConnection.java:423)
                  at org.jivesoftware.openfire.net.SASLAuthentication.doExternalAuthentication(SASLAuthentication.java:504)
                  at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java:245)
                  at org.jivesoftware.openfire.net.SocketReadingMode.authenticateClient(SocketReadingMode.java:130)
                  at org.jivesoftware.openfire.net.BlockingReadingMode.readStream(BlockingReadingMode.java:148)
                  at org.jivesoftware.openfire.net.BlockingReadingMode.run(BlockingReadingMode.java:76)
                  at org.jivesoftware.openfire.net.SocketReader.run(SocketReader.java:137)
                  at java.lang.Thread.run(Thread.java:679
          

          The other one (jabber.wp.pl) stops at some point, it's not related to the version header I guess:
          Fetching vCard works fine with that server.

          Openfire to WP:

          <stream:stream xmlns:stream="http://etherx.jabber.org/streams" 
            xmlns="jabber:server" xmlns:db="jabber:server:dialback">
          

          WP to Openfire:

          <?xml version='1.0'?><stream:stream 
            xmlns:stream='http://etherx.jabber.org/streams' id='89124b7afb0fe01c7e767f345349f33a00967631'   
            xmlns='jabber:server' xmlns:db='jabber:server:dialback'>
          

          Openfire to WP:

          <db:verify from="saper.info" 
            to="jabber.wp.pl" 
            id="7e0bbe12">59a04579c36d2c860e719c6ffb9cd7c66e2fab03</db:verify>
          

          WP to Openfire:

          <db:verify from='jabber.wp.pl' 
            to='saper.info' 
            id='7e0bbe12' type='valid'/>
          

          Openfire to WP:

          </stream:stream>
          
          Show
          saper Marcin Cieślak added a comment - I have quickly checked breaking session - amessage.de fails on TLS/SSL negotiation 2011.12.16 23:47:12 org.jivesoftware.openfire.net.SocketConnection - Error retrieving client certificates of: [Session-31, TLS_RSA_WITH_AES_256_CBC_SHA] javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:371) at org.jivesoftware.openfire.net.SocketConnection.getPeerCertificates(SocketConnection.java:423) at org.jivesoftware.openfire.net.SASLAuthentication.doExternalAuthentication(SASLAuthentication.java:504) at org.jivesoftware.openfire.net.SASLAuthentication.handle(SASLAuthentication.java:245) at org.jivesoftware.openfire.net.SocketReadingMode.authenticateClient(SocketReadingMode.java:130) at org.jivesoftware.openfire.net.BlockingReadingMode.readStream(BlockingReadingMode.java:148) at org.jivesoftware.openfire.net.BlockingReadingMode.run(BlockingReadingMode.java:76) at org.jivesoftware.openfire.net.SocketReader.run(SocketReader.java:137) at java.lang. Thread .run( Thread .java:679 The other one (jabber.wp.pl) stops at some point, it's not related to the version header I guess: Fetching vCard works fine with that server. Openfire to WP: <stream:stream xmlns:stream= "http: //etherx.jabber.org/streams" xmlns= "jabber:server" xmlns:db= "jabber:server:dialback" > WP to Openfire: <?xml version='1.0'?><stream:stream xmlns:stream='http: //etherx.jabber.org/streams' id='89124b7afb0fe01c7e767f345349f33a00967631' xmlns='jabber:server' xmlns:db='jabber:server:dialback'> Openfire to WP: <db:verify from= "saper.info" to= "jabber.wp.pl" id= "7e0bbe12" >59a04579c36d2c860e719c6ffb9cd7c66e2fab03</db:verify> WP to Openfire: <db:verify from='jabber.wp.pl' to='saper.info' id='7e0bbe12' type='valid'/> Openfire to WP: </stream:stream>
          Hide
          saper Marcin Cieślak added a comment -

          Update: jabber.wp.pl s2s works today without any problems (probably something on their said, as suddenly s2s connections from my non-Openfire accounts started working.

          Show
          saper Marcin Cieślak added a comment - Update: jabber.wp.pl s2s works today without any problems (probably something on their said, as suddenly s2s connections from my non-Openfire accounts started working.
          Hide
          guus Guus der Kinderen added a comment -

          I've committed Marcins patch to improve communication with domains using pre 1.0-versioned stream headers.

          Lets use a different issue than this one (OF-443) for new issues with S2S - this one is getting out of hand.

          Show
          guus Guus der Kinderen added a comment - I've committed Marcins patch to improve communication with domains using pre 1.0-versioned stream headers. Lets use a different issue than this one ( OF-443 ) for new issues with S2S - this one is getting out of hand.
          Show
          neustradamus Neustradamus added a comment - All are really good? http://wiki.xmpp.org/web/Securing_XMPP http://stpeter.im/journal/1496.html http://tools.ietf.org/html/draft-saintandre-xmpp-tls-02 https://github.com/stpeter/manifesto/ You must sign it! https://github.com/stpeter/manifesto/blob/master/manifesto.txt If it is not, all Openfire XMPP servers will be removed of the XMPP network soon

            People

            • Assignee:
              guus Guus der Kinderen
              Reporter:
              wroot wroot
            • Votes:
              20 Vote for this issue
              Watchers:
              21 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: