Openfire 3.8 SSL Certs and Pidgin

Bob_Brandt · February 28, 2013, 11:36am

I’ve just setup a new Openfire 3.8 server and most everything is working flawlessly from the go. But one problem we are having is that some clients (mostly Linux clients) will not connect to the server.

Spark works perfectly

Jitsi works

However

Pidgin and Gajim don’t work and throw up a generic SSL Cert error. (I have even tried Pidgin on Windows, same problem)

My only thought is that the name of the server is openfire.local.dom while I created a CNAME record for im.local.dom that everyone uses: i.e. by jabber JID is brandtb@im.local.dom

I recreated the self-signed certs again and again, but this has not fixed the problem?

Any ideas as to why?

Thanks

Bob

David29 · February 28, 2013, 4:34pm

What is Pidgin complaining about specifically?

I’m guessing it doesn’t trust the self-signed cert? You will have to tell Pidgin to accept the cert each time you connect. There may also be a way to disable certificate checks in Pidgin.

Spark typically does not report certificate issues.

Bob_Brandt · February 28, 2013, 4:43pm

Thanks for the reply!

Pidgin does ask if I was to trust the Certificate and gives me the option to never ask again (from what I remember) but it then later fails and the little debug information I can get says it is an SSL error.

David29 · February 28, 2013, 7:05pm

Is there an SSL error logged on the openfire end? Can you grab a screenshot of the Pidgin error?

Bob_Brandt · March 6, 2013, 3:36pm

Here are the logs during a fault login attempt:

What stands out on the client side is:

jabber: XML parser error for JabberStream 0xb8337ca0: Domain 1, code 5, level 3: Extra content at the end of the document

I have seen many other posts on the web about this but no resolution.

On the server side you can see:

org.jivesoftware.openfire.nio.ConnectionHandler - ConnectionHandler reports unexpected exception for session: (SOCKET, R: /CLIENTIP:60851, L: /SERVERIP:5222, S: 0.0.0.0/0.0.0.0:5222)

java.lang.NoClassDefFoundError: com.sun.security.sasl.util.PolicyUtils

Which made me think it was a SSL error. But I have blown the server installation of Openfire using both self-signed and Certificate Authority signed certificates and nothing works. I have also blown away and reinstalled the client side programs without any improvement.

The strange thing is that Pidgin was working well (even better then Spark) when we first built a test server. But ever since the first rebuild on multiple servers, nothing can get it to work.

Bob
Pidgin.debug.zip (3022 Bytes)
openfire.error.log.zip (869 Bytes)

Bob_Brandt · March 6, 2013, 4:34pm

All right! Found the answer.

Turns out that the problem was with the java that was running the system. On my initial system (which was not a server) the variable JAVA_HOME was not exported, so Openfire would define it itself.

But on the latr systems, JAVA_HOME was pointing at an IBM Java so rather then use the JRE that comes with the installation, it used that instead!

Once I define JAVA_HOME in the /etc/sysconfig/openfire file, everything started working immediately.

I don’t understand why Openfire doesn’t use it’s own JRE especially when it COMES with the it, but whatever.

Thanks for the attention, hopefully this will help someone else out.