When i want to connect to gmx.net i get the following errors <pre> Feb 11 10:38:48 prosody prosody[1193]: s2sout1473000: Beginning new connection attempt to gmx.net ([213.165.65.40]:5269) Feb 11 10:38:48 prosody prosody[1193]: s2sout1473000: Connection attempt in progress... Feb 11 10:38:48 prosody prosody[1193]: socket: server.lua: client 173.194.69.125:clientport read error: closed Feb 11 10:38:48 prosody prosody[1193]: s2sout10e1b40: s2s disconnected: metaccount.de->gmail.com (closed) Feb 11 10:38:48 prosody prosody[1193]: s2sout10e1b40: Destroying outgoing session metaccount.de->gmail.com: closed Feb 11 10:38:48 prosody prosody[1193]: socket: server.lua: closed client handler and removed socket from list Feb 11 10:38:48 prosody prosody[1193]: s2sout1473000: sending: <?xml version='1.0'?> Feb 11 10:38:48 prosody prosody[1193]: s2sout1473000: sending: <stream:stream xmlns:db='jabber:server:dialback' xmlns:stream='http://etherx.jabber.org/streams' version='1.0' from='metaccount.de' to='gmx.net' xml:lang='en' xmlns='jabber:server'> Feb 11 10:38:48 prosody prosody[1193]: s2sout1473000: Received[s2sout_unauthed]: <features xmlns='http://etherx.jabber.org/streams'> Feb 11 10:38:48 prosody prosody[1193]: metaccount.de:tls: Received features element Feb 11 10:38:48 prosody prosody[1193]: metaccount.de:tls: gmx.net is offering TLS, taking up the offer... Feb 11 10:38:48 prosody prosody[1193]: s2sout1473000: sending: <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/> Feb 11 10:38:48 prosody prosody[1193]: s2sout1473000: Received[s2sout_unauthed]: <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'> Feb 11 10:38:48 prosody prosody[1193]: metaccount.de:tls: Proceeding with TLS on s2sout... Feb 11 10:38:48 prosody prosody[1193]: socket: server.lua: attempting to start tls on tcp{client}: 0x13e6558 Feb 11 10:38:48 prosody prosody[1193]: socket: server.lua: ssl handshake error: closed Feb 11 10:38:48 prosody prosody[1193]: s2sout1473000: s2s connection attempt failed: ssl handshake failed Feb 11 10:38:48 prosody prosody[1193]: s2sout1473000: Out of connection options, can't connect to gmx.net Feb 11 10:38:48 prosody prosody[1193]: mod_s2s: No other records to try for gmx.net - destroying Feb 11 10:38:48 prosody prosody[1193]: s2sout1473000: Destroying outgoing session metaccount.de->gmx.net: Connecting failed: ssl handshake failed Feb 11 10:38:48 prosody prosody[1193]: s2sout1473000: sending error replies for 1 queued stanzas because of failed outgoing connection to gmx.net </pre> Here you can see that gmx.net at least supports TLSv1 and cipher AES256-SHA (0x35) https://xmpp.net/result.php?domain=gmx.net&type=server so does my server: https://xmpp.net/result.php?domain=metaccount.de&type=server Don't know where the Problem is.

missed some information about my installation: Ubuntu 13.10 (GNU/Linux 3.11.0-12-generic x86_64) prosody 0.9.3-1~saucy lua-sec-prosody 0.5.1-2~saucy

Hi! Could you collect a packet capture of the server-to-server communication failing? Something like "tcpdump -s0 -i eth0 -nn -w ~/gmx-xmpp.pcap 'host 213.165.65.40 and port 5269'" should do the trick ("eth0" may not be the right interface). Please feel free to join the Prosody MUC (prosody@conference.prosody.im/prosody, or https://prosody.im/chat) if you run into any difficulties with that.

well, here it is. thanks in advance.

• gmx-xmpp.pcap

any progress on that already?

i've had a couple of tries on this again. it seems that its only not working when i add my intermediate ca-cert to my own certificate as described here: https://prosody.im/doc/certificates#certificate_chains when i only provide my certificate a can connect to gmx.net successfully, but i got an F-rating from xmpp.net.

I confirm the behaviour mentioned in comment #6.

I think the client key exchange/certificate verify of these servers are broken (or they don't accept long key chains). When I try it then the gmx server just closes the connection. The client key exchange seems to be automatically disabled by openssl when my certificate chain isn't full. The only workaround right now seems to install https://prosody-modules.googlecode.com/hg/mod_s2s_never_encrypt_blacklist/mod_s2s_never_encrypt_blacklist.lua and add following to your configuration (maybe even more servers). tls_s2s_blacklist = { "gmx.net", "gmx.de", "web.de", "online.de" } They also don't transport their own full certificate chain. This is also the reason why the xmpp.net results look so extreme bad: https://xmpp.net/result.php?id=42058

Just debugged more and the GMX server is closing (FIN) the connection right before the "Client Key Exchange, Certificate Verify, Change Cipher Spec, Encrypted Handshake Message" ssl packet. So it is more likely the certificate chain from the prosody server which ruins the GMX server in some way

Someone contacted United Internet (GMX, Web.de, 1und1) support about this problem?

No, the gmx and web.de support just answers with "we provide no support for our free products" and I am not a customer of 1und1. Maybe some 1und1 customer can contact them And I found a different workaround for startssl certificates. You have to create a sha1 signed certificate (not sha2/sha256/sha512) and added following certificates (intermediate, root) to our certificate file (at the end): * https://www.startssl.com/certs/sub.class1.server.ca.pem * https://www.startssl.com/certs/ca.pem If you are not a class1 certificate user then you have to use a different one. Just make sure that it is the sha1 signed one. So it seems that the GMX breaks when it tries to validate a complete certificate chain with SHA2/SHA256/SHA512 certificates.

Just as hint for anyone wanting to create their own certificate request: You have to add "-sha1" to the "openssl req" call. Otherwise it will create a sha256(+rsa) signature of the request and then startssl will also sign it with this digest.

s2s_never_encrypt_blacklist does not seem to work. I have set modules_enabled = {… "s2s_never_encrypt_blacklist", …} and tls_s2s_blacklist = { "web.de", "gmx.net", "gmail.com" }, but still it tries to connect to those servers using starttls: E.g. "gmx.de is offering TLS, taking up the offer..." See-Also: https://code.google.com/p/prosody-modules/issues/detail?id=59

Just for information: The problematic server from 1und1, gmx and web are now deactivated.

Thanks for the info! Closing this issue then.

• tags Status-CantFix
• owner MattJ