SSL handshake failed on Openfire 4.1.4

I have a conversations application on my phone. it perfectly works with Openfire 4.0,1 however when i use newer version of openfire I cannot connect anymore. here is what i get from connecting to Openfire 4.1.4

2017.06.26 21:15:47 INFO [socket_c2s-thread-2]: org.jivesoftware.openfire.net.SASLAuthentication - Support added for the ‘CRAM-MD5’ SASL mechanism.

2017.06.26 21:15:47 INFO [socket_c2s-thread-2]: org.jivesoftware.openfire.net.SASLAuthentication - Support added for the ‘GSSAPI’ SASL mechanism.

2017.06.26 21:15:47 INFO [socket_c2s-thread-2]: org.jivesoftware.openfire.net.SASLAuthentication - Support added for the ‘JIVE-SHAREDSECRET’ SASL mechanism.

2017.06.26 21:15:47 WARN [socket_c2s-thread-2]: org.jivesoftware.openfire.nio.ConnectionHandler - Closing connection due to exception in session: (0x00000002: nio socket, server, /192.168.1.104:44784 => /192.168.1.104:5222)

javax.net.ssl.SSLHandshakeException: SSL handshake failed.

at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:487)

at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(D efaultIoFilterChain.java:417)

at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1200(DefaultIoFilt erChain.java:47)

at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceiv ed(DefaultIoFilterChain.java:765)

at org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapte r.java:109)

at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(D efaultIoFilterChain.java:417)

at org.apache.mina.core.filterchain.DefaultIoFilterChain.fireMessageReceived(Defau ltIoFilterChain.java:410)

at org.apache.mina.core.polling.AbstractPollingIoProcessor.read(AbstractPollingIoP rocessor.java:710)

at org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPolling IoProcessor.java:664)

at org.apache.mina.core.polling.AbstractPollingIoProcessor.process(AbstractPolling IoProcessor.java:653)

at org.apache.mina.core.polling.AbstractPollingIoProcessor.access$600(AbstractPoll ingIoProcessor.java:67)

at org.apache.mina.core.polling.AbstractPollingIoProcessor$Processor.run(AbstractP ollingIoProcessor.java:1124)

at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:64)

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)

at java.lang.Thread.run(Thread.java:745)

Caused by: javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)

at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1646)

at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1614)

at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1780)

at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1075)

at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:901)

at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:775)

at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)

at org.apache.mina.filter.ssl.SslHandler.unwrap(SslHandler.java:728)

at org.apache.mina.filter.ssl.SslHandler.unwrapHandshake(SslHandler.java:666)

at org.apache.mina.filter.ssl.SslHandler.handshake(SslHandler.java:552)

at org.apache.mina.filter.ssl.SslHandler.messageReceived(SslHandler.java:351)

at org.apache.mina.filter.ssl.SslFilter.messageReceived(SslFilter.java:468)

… 15 more

any idea how to solve this?

Conversations works with igniterealtime.org Openfire server. And it uses latest code, which is newer than 4.1.4, but should include all the previous changes. Using it daily for a year or so.

@wroot I’m using latest version of conversations and latest vesion of Openfire. (by latest version i mean trunk code of repository) .

From Openfire 4.0.2 upward I’m getting the WRONG_TAG error on conversations. Openfire works with other XMPP client very well though.

I reported the issue to Conversations team and seems many have the same problems.

https://github.com/siacs/Conversations/issues/2249#issuecomment-311162541

@Daryl Herzmann could you create an account so he coukd test his Conversations client against our server? Also, could be useful to compare Openfire version, OS, Java type and version and maybe also certificates being used.

1 Like

PM’d those details

1 Like

Thank you both @Daryl Herzmann and @wroot my conversation client works fine with your server.

I’m using java 8 (1.8.25), self-signed certificate and fedore 23 (64x) also tried the same situation on Windows 10, same problem.

the last Openfire version that works with my client is 4.0.1. any version above causes SSL handshake exception on Conversation.

maybe there is something with the self-signed certificate!

Do you mean you get this problem with 4.0.2?

Yes! Its been almost a year I’ve stucked in 4.0.1

I don’t see anything significant in 4.0.2 changelog, especially related to SSL. On Windows you tried with the same Java version? Maybe you can use newer (1.8.1 131 at the moment).

Hi guys,

I have exactly that issue with all android clients (espacially with Conversations and.Xabber).

My current openfire configuration :

  • Openfire 4.1.4 (fresh install).

  • Debian 8 64bits.

  • Java JRE 1.8 (1.8.0_131 Oracle Corporation – Java HotSpot™ 64-Bit Server VM).

  • Active Directory auth (working fine).

  • Self-signed certificat.

I tried to install Openfire on Windows Server 2016 but it is the same.

I have already done the following tests :

  • If I disable STARTTLS (advanced settings on 5222 port) , everything is working fine with Xabber (Conversations have to use TLS).

  • I have no problem with iOS clients (like Chatsecure or Monal) and Windows clients (Pidgin or Spark).

And the last but not least :

At the first start of Openfire (just after installation), with Debian or Windows install, I was able to launch successfully Conversations only one time. If I disconnect and immediatly reconnect, connection fail …

Yes i looked upon 4.0.2 chagelog and couldn’t find any clues. I’ve tried java 1.8.1_131 and also

1.8.0_72 both end up with the same result. Since my Conversation client works well with your server I’m guessing that self-signed certificate is the root of my problem. have you ever happen to try the OF(self signed) and Conversations?

I have an account in Conversations logged to my own testing Openfire server at home. It is usually disabled, but i think i have tried it a month or so ago and it worked. I can try it again today. I use self-signed certs.

Btw, i’ve seen a few reports about people having problems with Galaxy S8 after the recent updates. Maybe this is even device specific issue. I use it on Huawei MediaPad X2 tablet with Android 5.0.

So, i have tried again at home today. My Openfire is actually one of the latest nightly builds (4.1.5). As my home server is not in DNS, i can login in Conversations useing user@domain. So i change it to user@IPaddress and it logs in and automatically changes the account to user@domain (so i have to change it to IP every time i want to login…). I can then chat with other users on that server.

Finally issue have been resolved in Conversation.

It should take care in openfire too.

workaround for OpenFire: check CN first in self signed certs · siacs/Conversations@8afe7ef · GitHub

1 Like

Yep, it’s resolved for me too… only with Conversations. Xabber still does not work …

Xabber has its issue tracker on Github. You can report there. Issues · redsolution/xabber-android · GitHub