Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Openfire should ignore Othername formats it doesn't understand

Description

(02:41:10 PM) guus: did anyone generate new certificates with StartSSL recently?
(02:42:05 PM) guus: Openfire chokes on the subject alt. name in it
(02:42:24 PM) guus: X509v3 Subject Alternative Name: DNS:xmpp.igniterealtime.org <http://xmpp.igniterealtime.org/>, DNS:igniterealtime.org <http://igniterealtime.org/>, othername:<unsupported>, othername:<unsupported>, othername:<unsupported>, othername:<unsupported>
(02:43:14 PM) Alex: I have created a new one in January
(02:43:20 PM) Alex: its running n ag-software.de
(02:43:36 PM) guus: given the error message, I'd say that the othername values are something called 'DERTaggedObject', where my server wants a different type
(02:49:13 PM) guus: hmm, yours has simliar: "othername:<unsupported>" entries in Subject altname
(02:50:34 PM) Alex: I am not a X509 expert, maybe dwd can jump onto this
(02:51:19 PM) ***dwd boioings.
(02:51:39 PM) guus: I wonder if it's the openssl tool that can't parse that othername format. I'm far from an export myself :S
(02:51:58 PM) dwd: I think StartTLS^HStartSSL now includes sRVName SANs.
(02:52:31 PM) dwd: Our tools can parse them, and I'd expect any compliant tool which can't to simply ignore them - they're just another form of Othername after all.
(02:52:53 PM) dwd: (And othernames are explcitly designed to be extensible, unlike general names themselves)
(02:54:37 PM) guus: okay, sounds reasonable

Environment

None

Activity

Show:

Guus der Kinderen February 9, 2012 at 2:06 PM

I just checked in a fix that hides the error. Functionally, it was already ignored (but reported as an error in the logs)

Guus der Kinderen February 9, 2012 at 1:59 PM

This probably relates to the stacktraces that are being logged since using a new server certificate:

org.jivesoftware.util.CertificateManager - CertificateManager: Error decoding subjectAltName java.lang.IllegalArgumentException: illegal object in getInstance: org.bouncycastle.asn1.DERTaggedObject at org.bouncycastle.asn1.DERUTF8String.getInstance(Unknown Source) at org.jivesoftware.util.CertificateManager.getSubjectAlternativeNames(CertificateManager.java:263) at org.jivesoftware.util.CertificateManager.getPeerIdentities(CertificateManager.java:215) at org.jivesoftware.util.CertificateManager.isCertificate(CertificateManager.java:346) at org.jivesoftware.util.CertificateManager.isRSACertificate(CertificateManager.java:298)
Fixed

Details

Assignee

Reporter

Fix versions

Priority

Created February 9, 2012 at 1:58 PM
Updated February 9, 2012 at 2:06 PM
Resolved February 9, 2012 at 2:06 PM

Flag notifications