"SSLv2Hello is disabled" with nightly 2015-01-31

Hi,

I’m testing the beta / current nightly since it is supposed to have a fix for OF-405.

I am running Ubuntu 10.04.4 LTS (and I suspect/fear there is my problem already) and upgraded from Openfire 3.9.3.

There were no issues while upgrading and everything seems to be running fine.

I use custom client security settings where SSL is disabled and TLS is required.

I can connect with Xabber, the Android client. However, connecting with Spark or Psi always results in a SSL handshake error and the following error in the server log:

2015.02.01 12:26:45 org.jivesoftware.openfire.nio.ConnectionHandler - ConnectionHandler reports IOException for session: (0x00000008: nio socket, server, /xxx.xxx.xxx.xxx:61194 => /xxx.xxx.xxx.xxx:5222)
javax.net.ssl.SSLHandshakeException: SSL handshake failed.
at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:507)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(D efaultIoFilterChain.java:542)
at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$6(DefaultIoFilterC hain.java:538)
at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceiv ed(DefaultIoFilterChain.java:943)
at org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:74)
at org.apache.mina.core.session.IoEvent.run(IoEvent.java:63)
at org.apache.mina.filter.executor.OrderedThreadPoolExecutor$Worker.runTask(Ordere dThreadPoolExecutor.java:769)
at org.apache.mina.filter.executor.OrderedThreadPoolExecutor$Worker.runTasks(Order edThreadPoolExecutor.java:761)
at org.apache.mina.filter.executor.OrderedThreadPoolExecutor$Worker.run(OrderedThr eadPoolExecutor.java:703)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: SSLv2Hello is disabled
at sun.security.ssl.InputRecord.handleUnknownRecord(InputRecord.java:598)
at sun.security.ssl.InputRecord.read(InputRecord.java:504)
at sun.security.ssl.EngineInputRecord.read(EngineInputRecord.java:387)
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:947)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:890)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:764)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at org.apache.mina.filter.ssl.SslHandler.unwrap(SslHandler.java:746)
at org.apache.mina.filter.ssl.SslHandler.unwrapHandshake(SslHandler.java:681)
at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:567)
at org.apache.mina.filter.ssl.SslHandler.messageReceived(SslHandler.java:353)
at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:488)
… 9 more

So, is this an issue with Openfire or is it really like an old SSL lib in Ubuntu 10.04? Why can Xabber connect although I enforce encryption so there is no fallback to an unsafe connection?

I’d appreciate any help

Cheers,

Rene

EDIT: Thunderbird seems to connect happily as well.

EDIT2: Pidgin works, too.

Message was edited by: Rene Voegeli

I believe Openfire is using Java’s SSL library-api. So maybe it is some old Java. Though if it worked with 3.9.3 it should probably work with 3.10.0. Then this is probably because of some changes in the code.

Clients now MUST use TLSv1.0 as a minimum - we disabled SSLv3 due to POODLE - and therefore any Hello message must be a TLSv1.0 as a minimum. There’s no value in using anything lower.

Actually, RFC 3920 specified TLS anyway, so use of SSLv3 or SSLv2 Hello messages was never correct.