[s2s] Federation issue with talkonaut.com


My server (weather.im) happily federates with talkonaut.com with Openfire 3.10.3. The beta of Openfire 4.0 fails to federate, here's the trace logged.

My 3.10.3 instance reports that the outbound connect is unsecured dialback authentication and the inbound connection is secure.




Guus der Kinderen
January 5, 2016, 10:03 PM

We test-ran the fix on ignite - works fine!

Guus der Kinderen
January 5, 2016, 8:22 PM

My earlier fix changed TLS failure handling on the connection used after a S2S connection was successfully established. In this issue, we're not getting to that point (the earlier fix itself is an improvement though, but not for the issue at hand).

A problem occurs before the S2S connection is established, on the connection used for dialback. The changes for add TLS support to Dialback, but won't allow for TLS to fail.

PR https://github.com/igniterealtime/Openfire/pull/489 allows Dialback to be retried after a TLS failure occurred, skipping TLS.

Daryl Herzmann
December 17, 2015, 5:20 PM

talkonaut.com kindly engaged us on this and noted the following stanza

Guus der Kinderen
December 17, 2015, 12:12 PM

https://github.com/igniterealtime/Openfire/pull/466 changes the event from an 'exceptional' handshake failure to a normal one. This should make logging less verbose.

This does not, however, fix the issue with S2S to talkanout.com - I'm guessing that new default settings for TLS now simply disallow federation.

Dave Cridland
December 17, 2015, 8:38 AM

TLS (and SSLv3 before it) include an Alert record which, amongst other things, indicates the session is being closed, in order to protect against a truncation attack where you kill a session (by spoofing TCP RST packets, etc) before all the data is across.

HTTP/1.1 is somewhat immune to this, and it has no effect at all on XMPP.

Swallowing this stack trace would be fine.

I note though that we're being a little over the top in validating certificates at the moment - I'll review that code over the next week or so and see if we can make it work a little closer to expectations.



Dave Cridland


Daryl Herzmann