Fixed TLS for s2s. JM-1206

git-svn-id: http://svn.igniterealtime.org/svn/repos/openfire/trunk@9636 b35dd754-fafc-0310-a699-88a17e54d16e

src/java/org/jivesoftware/openfire/Connection.java

@@ -290,14 +290,22 @@ public interface Connection {
     PacketDeliverer getPacketDeliverer();
 
     /**
-     * Secures the plain connection by negotiating TLS with the client. When connecting
-     * to a remote server then <tt>clientMode</tt> will be <code>true</code> and
-     * <tt>remoteServer</tt> is the server name of the remote server. Otherwise <tt>clientMode</tt>
-     * will be <code>false</code> and  <tt>remoteServer</tt> null.
-     *
-     * @param clientMode boolean indicating if this entity is a client or a server.
-     * @param remoteServer server name of the remote server we are connecting to or <tt>null</tt>
-     *        when not in client mode.
+     * Secures the plain connection by negotiating TLS with the other peer. In a server-2-server
+     * connection the server requesting the TLS negotiation will be the client and the other server
+     * will be the server during the TLS negotiation. Therefore, the server requesting the TLS
+     * negotiation must pass <code>true</code> in the <tt>clientMode</tt> parameter and the server
+     * receiving the TLS request must pass <code>false</code> in the <tt>clientMode</tt> parameter.
+     * Both servers should specify the xmpp domain of the other server in the <tt>remoteServer</tt>
+     * parameter.<p>
+     *
+     * In the case of client-2-server the XMPP server must pass <code>false</code> in the
+     * <tt>clientMode</tt> parameter since it will behave as the server in the TLS negotiation. The
+     * <tt>remoteServer</tt> parameter will always be <tt>null</tt>.
+     *
+     * @param clientMode boolean indicating if this entity is a client or a server in the TLS negotiation.
+     * @param remoteServer xmpp domain of the remote server or <tt>null</tt>. When null a
+     *       {@link org.jivesoftware.openfire.net.ClientTrustManager} will be used for verifying certificates
+     *       otherwise a {@link org.jivesoftware.openfire.net.ServerTrustManager} will be used.
      * @param authentication policy to use for authenticating the remote peer.
      * @throws Exception if an error occured while securing the connection.
      */

src/java/org/jivesoftware/openfire/net/MultiplexerStanzaHandler.java

@@ -133,6 +133,7 @@ public class MultiplexerStanzaHandler extends StanzaHandler {
     }
 
     void startTLS() throws Exception {
-        connection.startTLS(false, null, Connection.ClientAuth.disabled);
+        // TODO Finish implementation. We need to get the name of the CM if we want to validate certificates of the CM that requested TLS
+        connection.startTLS(false, "IMPLEMENT_ME", Connection.ClientAuth.disabled);
     }
 }

src/java/org/jivesoftware/openfire/net/ServerStanzaHandler.java

@@ -15,8 +15,8 @@ import org.jivesoftware.openfire.Connection;
 import org.jivesoftware.openfire.PacketRouter;
 import org.jivesoftware.openfire.auth.UnauthorizedException;
 import org.jivesoftware.openfire.session.LocalIncomingServerSession;
-import org.jivesoftware.util.Log;
 import org.jivesoftware.util.JiveGlobals;
+import org.jivesoftware.util.Log;
 import org.xmlpull.v1.XmlPullParser;
 import org.xmlpull.v1.XmlPullParserException;
 import org.xmpp.packet.*;
@@ -84,12 +84,12 @@ public class ServerStanzaHandler extends StanzaHandler {
     }
 
     void startTLS() throws Exception {
-        // TODO Finish implementation. We need to get the name of the remote server!?!?
+        // TODO Finish implementation. We need to get the name of the remote server if we want to validate certificates of the remote server that requested TLS
 
         boolean needed = JiveGlobals.getBooleanProperty("xmpp.server.certificate.verify", true) &&
                 JiveGlobals.getBooleanProperty("xmpp.server.certificate.verify.chain", true) &&
                 !JiveGlobals.getBooleanProperty("xmpp.server.certificate.accept-selfsigned", false);
-        connection.startTLS(true, "IMPLEMENT_ME", needed ? Connection.ClientAuth.needed : Connection.ClientAuth.wanted);
+        connection.startTLS(false, "IMPLEMENT_ME", needed ? Connection.ClientAuth.needed : Connection.ClientAuth.wanted);
     }
     protected void processIQ(IQ packet) throws UnauthorizedException {
         packetReceived(packet);

src/java/org/jivesoftware/openfire/net/SocketReadingMode.java

@@ -69,7 +69,8 @@ abstract class SocketReadingMode {
         }
         // Client requested to secure the connection using TLS. Negotiate TLS.
         try {
-            socketReader.connection.startTLS(false, null, Connection.ClientAuth.disabled);
+            // Temporary workaround to force the usage of ServerTrustManager. This code is only used for s2s
+            socketReader.connection.startTLS(false, "IMPLEMENT_ME", Connection.ClientAuth.disabled);
         }
         catch (IOException e) {
             Log.error("Error while negotiating TLS: " + socketReader.connection, e);