wojciech.kapcia@tigase.net opened 5 years ago
|
|
The issue is now fixed (or it looks like fixed) and tests from The cause of the issue was the location where Before TLS 1.3 for client connections (outgoing connections) handshake could be completed only on On server connections, it was not causing any issues as servers are waiting for requests from clients, so they are not sending data just after the handshake is completed. Only in TLS 1.3 in client connections, it is possible to complete a handshake in In this situation, we were calling Invalid flow:
The issue is with inverted steps 5 & 6. We should first enqueue handshake data and then encrypted I've solved it with a minor change to the workflow and (I hope) a small change in the API which should be backward compatible (added default method to the existing interface). I've marked this method as deprecated as it should be replaced by proper handling of @wojtek Please review those changes. I've not enabled TLS 1.3 but I think we could do that by default if we confirm that this fix is working properly. |
|
As per our discussion: it seems that the fix doesn't work all that well (as it turned out after deployment to tigase.im). Actions for now:
|
|
Sorry for the trouble caused by recent changes to add support for TLS 1.3. I've reviewed the code more deeply and after some debugging, I've found out that my changes were correct. The issue was actually caused by Before my previous fix, the first call to However, due to After confirming that those changes work for domains for which they failed before (I've deployed a new build on my local installation with S2S and confirmed that I was able to query disco items and info from problematic domains), I've looked into test cases which were prepared for this issue. I've changed them, to make them assume the actual behavior of the S2S connection:
Note: We are testing TLS here (mostly 1.3 but just any TLS) and not full S2S connectivity (as we are testing it only 1-way), due to that I've focused tests on establishing TLS connection and verifying that data is exchanged over a secure connection properly (ie. we are sending stream-open, server responds with features, we are sending SASL EXTERNAL/DIALBACK, the server responds, etc.). While working on that, I've found out that SASL-EXTERNAL is also tried if the local certificate is not trusted (ie. self-signed or expired). I've added a check, which will skip SASL-EXTERNAL if the local certificate is not valid. That should improve connectivity time (reduced number of roundtrips). Also, some servers may close connection if SASL-EXTERNAL fails, without trying dialback (that is allowed by the XEP). With that in place, I was able to make S2S tests pass without any issues. I've also encountered another issue with All the tests and my installation used for testing were running on AdoptOpenJDK 11.0.10 (lastest stable LTS). All changes are checked in @wojtek You have credentials to the account on my installation, so you can use it for checking if S2S works as expected. If needed IBR is enabled as well, so you can create an account as well. If something will be failing for some specific domain I'm able to check it later on with a debugger connected to this installation which would be better than extending logs and restarting our clustered installations. |
|
Thank you for your analysis. I checked the changes and they seem to look ok. I'd like to run some tests after migration to EB and then we could merge it. |
|
I merged the branch. There were some issues due to reverting of the previous changes. I think I got everything. Tomorrow I'll update our tigase.org instances so we'll be able to verify it. |
|
It seems to be working now. |
Type |
Bug
|
Priority |
Normal
|
Assignee | |
Version |
tigase-server-8.2.0
|
Spent time |
26h
|
No matter if other party supports or not TLS1.3, if we add it to "enabled protocols", Tigase will fail to establish connection to the remote server, and remote server will log this error:
Using same Java version and connecting using Java's
SSLSocket
instead of Tigase's network layer works fine,