Initial analysis lead me to the point when Tigase closes connection upon receiving

<challenge xmlns="urn:ietf:params:xml:ns:xmpp-sasl">=</challenge>

on sent

<auth mechanism="EXTERNAL" xmlns="urn:ietf:params:xml:ns:xmpp-sasl">=</auth>

From that, it was obvious that Tigase was not expecting <challenge/> element as it is "not used" in SASL external. As I've looked into OpenFire code, I've found out that <challenge/> is sent only when SASL external <auth/> element cdata does not match Base64 encoded domain of the sender of <auth/> request. From what I've found out in XEP-0178 and RFC related to XMPP, <auth/> stanza should only be sent with no data (=) when we are authenticating C2S connection and for S2S connection, it should always be Base64 encoded domain of the sender.

I've modified Tigase to send <auth/> element with proper cdata and left Tigase code for handling incoming <auth/> requests unchanged as Tigase verifies SSL certificate against sender domain, so not checking content of <auth/> element will do no harm (will not authenticate anything which should not be authenticated) but will maintain compatibility with older versions of Tigase which had this issue in the S2S code.

As we discussed in chat, specification may change:

"however a future version of this specification might disallow use of the authorization identity in server-to-server authentication"

And it was decided to add sending identity based on parameter (so in the future it would be possible to disable it without having to update Tigase):

@ConfigField(desc = "Enable compatibility with legacy servers", alias = "legacy-compat")
private boolean legacyCompat = true;