[asterisk-dev] 1.6.0 jabber (client mode) SSL connection

Philippe Sultan philippe.sultan at gmail.com
Fri Oct 10 17:25:31 CDT 2008 

Hi Brendan,

Secured client XMPP connections should be made on port 5222, and handled by TLS.

Let's continue this discussion here : http://bugs.digium.com/view.php?id=13656

Cheers,

Philippe

On Wed, Oct 8, 2008 at 7:42 PM, Brendan Martens
<brendan.martens at crosscomm.net> wrote:
> Here is the debug output of the same issue ( I think? ) on an openfire
> server:
>
> 2008.10.08 12:40:18 ConnectionHandler:
> javax.net.ssl.SSLHandshakeException: SSL handshake failed.
>        at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:416)
>        at
> org
> .apache
> .mina
> .common
> .support
> .AbstractIoFilterChain
> .callNextMessageReceived(AbstractIoFilterChain.java:299)
>        at org.apache.mina.common.support.AbstractIoFilterChain.access
> $1100(AbstractIoFilterChain.java:53)
>        at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl
> $1.messageReceived(AbstractIoFilterChain.java:648)
>        at org.apache.mina.common.support.AbstractIoFilterChain
> $HeadFilter.messageReceived(AbstractIoFilterChain.java:499)
>        at
> org
> .apache
> .mina
> .common
> .support
> .AbstractIoFilterChain
> .callNextMessageReceived(AbstractIoFilterChain.java:299)
>        at
> org
> .apache
> .mina
> .common
> .support
> .AbstractIoFilterChain.fireMessageReceived(AbstractIoFilterChain.java:
> 293)
>        at
> org
> .apache
> .mina
> .transport.socket.nio.SocketIoProcessor.read(SocketIoProcessor.java:228)
>        at
> org
> .apache
> .mina
> .transport.socket.nio.SocketIoProcessor.process(SocketIoProcessor.java:
> 198)
>        at org.apache.mina.transport.socket.nio.SocketIoProcessor.access
> $400(SocketIoProcessor.java:45)
>        at org.apache.mina.transport.socket.nio.SocketIoProcessor
> $Worker.run(SocketIoProcessor.java:485)
>        at
> org
> .apache
> .mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:51)
>        at java.util.concurrent.ThreadPoolExecutor
> $Worker.runTask(ThreadPoolExecutor.java:885)
>        at java.util.concurrent.ThreadPoolExecutor
> $Worker.run(ThreadPoolExecutor.java:907)
>        at java.lang.Thread.run(Thread.java:619)
> Caused by: javax.net.ssl.SSLException: Unrecognized SSL message,
> plaintext connection?
>        at
> com
> .sun
> .net
> .ssl
> .internal
> .ssl.EngineInputRecord.bytesInCompletePacket(EngineInputRecord.java:152)
>        at
> com
> .sun
> .net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:
> 754)
>        at
> com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:
> 669)
>        at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:607)
>        at org.apache.mina.filter.support.SSLHandler.unwrap0(SSLHandler.java:
> 658)
>        at
> org
> .apache.mina.filter.support.SSLHandler.unwrapHandshake(SSLHandler.java:
> 614)
>        at
> org.apache.mina.filter.support.SSLHandler.handshake(SSLHandler.java:493)
>        at
> org
> .apache.mina.filter.support.SSLHandler.messageReceived(SSLHandler.java:
> 306)
>        at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:392)
>        ... 14 more
>
> Brendan Martens
>
>> My asterisk 1.6.0 isn't able to authenticate to my apple iChat server.
>> The ichat server requires an SSL connection for clients, I set the
>> "usetls=yes" in jabber.conf but it still doesn't like it. Here is the
>> error in the apple server's jabber log:
>>
>> error: SSL handshake error (error:140760FC:SSL
>> routines:SSL23_GET_CLIENT_HELLO:unknown protocol)
>>
>> And here is my jabber.conf (cleared out the sample comments for
>> readability):
>>
>> [general]
>> debug=no
>> autoprune=no
>> autoregister=yes
>>
>> [servant-jabber]
>> type=client
>> serverhost=servant.crosscomm.net
>> username=asterisk at crosscomm.net/asterisk
>> secret=password
>> ;priority=1
>> port=5223
>> usetls=yes
>> usesasl=yes
>> ;buddy=mogorman at astjab.org
>> ;status=available
>> ;statusmessage="I am available"
>> timeout=15
>>
>>
>> The port setting is correct, it is what I use for normal clients. The
>> asterisk user does exist, I am able to authenticate via asterisk user
>> with the iChat client.
>> Turning sasl on or off doesn't seem to make any difference.
>>
>> After googling around this seems to be a fairly common issue when
>> doing some sort of SSL authentication.
>>
>> Is this a bug or am I missing something important in my config?
>>
>>
>> Brendan Martens
>
>
>
> _______________________________________________
> --Bandwidth and Colocation Provided by http://www.api-digital.com--
>
> AstriCon 2008 - September 22 - 25 Phoenix, Arizona
> Register Now: http://www.astricon.net
>
> asterisk-dev mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-dev
>



-- 
Philippe Sultan

More information about the asterisk-dev mailing list