Server-to-Server SNI issue / connecting to a host that serves multiple domains

Description

Some XMPP servers have the capability of hosting multiple domains on the same IP address. When connecting to that IP address, Openfire should (but apparently does not) send along a “server name indication” to connect to the intended domain.

This problem has been observed when trying to connect to the XMPP domain millesimus.de

Openfire connects to IP 173.212.205.87 and receives a TLS certificate that is issued for (subdomains of) politicalsciences.eu, which is a different XMPP service hosted on the same server.

The issue can be reproduced with openssl:

openssl s_client -connect 173.212.205.87:5270 will return a certificate for politicalsciences.eu

openssl s_client -connect xmpp.millesimus.de:5270 will return a certificate for millesimus.de

Openfire should be modified to send along the proper SNI when connecting to a remote server.

Environment

None

Activity

Show:

Fixed

Details
Assignee
Guus der Kinderen
Reporter
Guus der Kinderen
Components
Fix versions
4.8.0
Priority
Major

Created November 17, 2023 at 10:55 AM

Updated November 17, 2023 at 2:26 PM

Resolved November 17, 2023 at 2:26 PM

Server-to-Server SNI issue / connecting to a host that serves multiple domains

Description

Environment

Activity

DetailsAssigneeGuus der KinderenGuus der KinderenReporterGuus der KinderenGuus der KinderenComponentsFix versions4.8.0PriorityMajor

Details

Assignee

Reporter

Components

Fix versions

Priority

Details
Assignee
Guus der Kinderen
Reporter
Guus der Kinderen
Components
Fix versions
4.8.0
Priority
Major