Login issues since Spark 2.8.0

Document created by wroot Champion on Aug 26, 2016Last modified by wroot Champion on Oct 1, 2016
Version 10Show Document
  • View in full screen mode

As Spark 2.8.0 is using the latest version of Smack (4.x), it became obvious that many users are having incorrect setups. Some are using IP address to login to the server, some use server's hostname, which doesn't match their Openfire server's xmpp domain name. As Smack 4.x is more secure, it is not allowing a connection when TLS certificate seems invalid. This is not a bug, but a security improvement in Smack and Spark which should have been there from the beginning. One can workaround this, by rolling back to 2.7.7 version (which is still using 4 years old Smack 3.x version). But starting with Openfire 4.1.0 you might hit the same problem again, because of changes in this Openfire version. So, we encourage users to fix their setups instead.


How it works:

Say you have a PC called "Junk". You install Openfire on it. When going through web setup it usually suggest calling your domain the same - "Junk". But say you change it to "MyIMserver". You create a user "john". In XMPP username consists of username@domain. So in that case you should be logging into Openfire with john@myimserver. But that won't automatically work, if you have no DNS with that name pointing to your "Junk" machine. More so, when Openfire is finishing its setup it automatically generates TLS certificates with the domain name, in our case - myimserver. If you want to login to a server in a client using secure encrypted TLS connection, a client is checking certificates provided by the server and it checks if domain name matches, if certificate is not expired, etc. So if you are trying to login with john@IP or john@junk, it will see that certificate is for the myimserver domain, but you are trying to login to junk or some server. This is not matching and the client (Spark in this case) is protecting you from malicious connection.


What to do:

You have to use your Openfire's domain name as a server in the client. Spark currently has no visual GUI to let your add an exception like internet browsers do, so it silently drops the connection. There are two ways:

  1. DNS - the best way is to have some sort of DNS and add an entry there, which should point myimserver name to that PC. Say CNAME or HOST A "myimserver' pointing to DNS is better, because if server's IP changes, you don't have to change settings on every client. You just modify the DNS entry.
  2. If you don't know what DNS is, can't modify it, etc. You can put myimserver as a Server on Spark's login screen, then press Advanced button, uncheck Automatically detect host and port. Put into Host field. Make sure that Accept all certificates is checked (this option allows usage of self-signed certificates, which are default ones generated by Openfire). Press OK. Try to login.


You can download older versions of Spark by substituting version number in the download url, say 2.7.7 exe with java: Ignite Realtime: Download Landing

Or you can use 2.8.1 which has an option (in the Advanced menu on the Login screen) to disable certificate hostname verification. But keep in mind that this will make your client vulnerable to certificate spoofing attack.