Could not connect to Jabber: An unexpected SSL error occurred. [-9843]

Question

Level 1

138 points

Could not connect to Jabber: An unexpected SSL error occurred. [-9843]

A post in the Mac OS X Server:Collaboration Services forum mentions having this issue, and he was able to solve it by deleting a self-signed cert from the X509Anchors keychain; however, in my case there is no self-signed cert in the X509Anchors file to delete.

On my wife's iBook G3 running 10.4.7, iChat gives the -9843 SSL error when trying to connect to a jabber server that I control.

The same jabber account works fine in a "clean" user account on the same system, so it's not a system keychain problem or a jabber server problem. There must be something in her user account that is hosing iChat's jabber connection.

I have tried deleting all the ~/Library/Preferences/com.apple.iChat* files, and any other iChat-related files I could find in her entire user directory. No joy.

Any ideas? What other files does iChat use, specifically for jabber security information?

15" PowerBook G4/1GHz/1GB/100GB/SD, Mac OS X (10.4.7)

Posted on Jul 1, 2006 7:56 PM

Reply

Answer 1

Jul 1, 2006 11:15 PM in response to JLG89

Your Jabber server might not support SSL. iChat enables SSL on Jabber accounts by defalut. Go to account preferences and disable SSL on the server settings tab.

Reply

Answer 2

JLG89 Author

Level 1

138 points

Jul 2, 2006 5:55 AM in response to Jason Weinstein2

Nope. As I mentioned, the same login works fine in a "clean" test account on the same system. Other users on other systems have no problems either. The server supports SSL and is configured properly.

Reply

Answer 3

Jul 2, 2006 12:56 PM in response to JLG89

Hi JLG89,

Which Jabber Server ?

Which Jabber Ports do you have open ?

Google talk and some "older" servers require 5223 on TCP to be open.

And are you actually using a SSL login: set in iChat Accounts ?

8:55 PM Sunday; July 2, 2006

Reply

Answer 4

JLG89 Author

Level 1

138 points

Jul 2, 2006 2:54 PM in response to JLG89

So far, folks seem to be centering on configuration issues. Let me reiterate the fact that, if I use the same jabber login, with identical settings, in iChat under a different user account on the same system, it works perfectly. Other jabber accounts, using iChat, with identical settings, on other client machines, to the same server, work perfectly.

In other words, the client settings are not the problem, nor is the server the problem.

Yes, I have deleted EVERY iChat preference & cache file, keychain entries, everything, and reconfigured iChat from scratch. Same problem. (No, it's not the iChat application itself, because it works fine on the same system in a different user account.)

When iChat (in the problem account) tries to connect to the jabber server, it's not even completing the SSL handshake. If I enable the "Warn before password is sent insecurely" preference, I never get any message--which tells me that the SSL failure is occurring very early in the connection sequence, before the user credentials are even sent.

It's not a firewall issue, because the firewall is disabled.

There has to be some other user-level non-iChat preference file that has some impact on iChat's SSL connections. That's what I'm looking for here.

Reply

Answer 5

Jul 2, 2006 3:12 PM in response to JLG89

Hi JGL89,

Ok then go for the delete of com.apple.ichat.Jabber.plist in the User/(Mac account)/Library/Preferences of the mac user in question

Restart iChat afterwards.

11:12 PM Sunday; July 2, 2006

Reply

Answer 6

JLG89 Author

Level 1

138 points

Jul 2, 2006 4:23 PM in response to Ralph-Johns-UK

Ralph, I'm not trying to be rude, and I really appreciate any help anyone can offer, but please read the previous posts before replying.

To restate and further clarify what I've already stated in previous posts, I have already deleted EVERY iChat preference file:
* all "~/Library/Preferences/ iChat" files
* any keychain items related to iChat, such as the AIM and Jabber login keys
* any other file in any other directory within the user's home folder that has anything to do with iChat

This did not fix the problem.

There has to be some other user-level preference file, or something, that affects iChat's SSL connections. I can't for the life of me figure out what it is, which is why I'm posting here.

Reply

Answer 7

Jul 3, 2006 2:03 PM in response to JLG89

Hi JLG89,

Maybe I should have been more pedantic in my answer.

I am unaware of any setting other than in iChat that effects this, apart form the Mac Firewall which I have already alluded to.

As I said before some Jabber servers need port 5223 to be open. This could be in the Mac Users Firewall setting for iChat ports. It needs to TCP.

It could be the the server does not like an SSL login or vice versa but agin this is set in the indvidual account within iChat.

If the .plist was corrupt and you deleted it and the keychain stuff at the same time you will have to set Jabber up again which should cure any problems here (of course providing you are not repeating a setting that is not working).

As this persist for one Mac User account the most likely thing is the Mac firewall.

10:03 PM Monday; July 3, 2006

Reply

Answer 8

JLG89 Author

Level 1

138 points

Jul 3, 2006 9:53 PM in response to JLG89

Interesting entries in the console log:

2006-07-03 23:38:19.088 iChatAgent[243] WARNING: SocketStream: CFStream error 3/-9843 occurred on input stream
2006-07-03 23:38:19.088 iChatAgent[243] WARNING: XMLStream: CFStream error 3/-9843 occurred on input
2006-07-03 23:38:19.089 iChatAgent[243] WARNING: JConnection: Error: An unexpected SSL error occured.
[-9843], type=2, code=-9843

These appear to be the same kinds of errors that folks used to have with the Google Talk service, which would lead me to believe that something is wrong with my server configuration; however, this is not the case, because other users can connect (using SSL on the same port) with no problems, and in fact the "problem" user can connect fine from a different Mac OS X login account.

And let me say again, since Ralph missed it the first time, that the Mac OS X firewall is not enabled in this user account. 🙂

Reply

Answer 9

Jul 4, 2006 12:40 PM in response to JLG89

Hi JLG89,

Is your server/modem/router set up to allow multiple computers to use the same ports ?

Are thsy in the same Subnet ?
Do you have subnets ?

Are a modem and Router both doing DHCP ?

8:40 PM Tuesday; July 4, 2006

Reply

Answer 10

JLG89 Author

Level 1

138 points

Jul 4, 2006 3:35 PM in response to Ralph-Johns-UK

Ralph! Check it out. From earlier posts in this thread:

"The same jabber account works fine in a 'clean' user account on the same system, so it's not a system keychain problem or a jabber server problem."

"Let me reiterate the fact that, if I use the same jabber login, with identical settings, in iChat under a different user account on the same system, it works perfectly. Other jabber accounts, using iChat, with identical settings, on other client machines, to the same server, work perfectly."

Maybe I'm missing something, but I'm wondering why a question about network configuration is relevant at this point? I performed (and documented in this thread) every troubleshooting measure you've suggested (and then some), before you suggested it. At this point, my conclusion (also posted earlier) is the following:

"There has to be some other user-level non-iChat preference file that has some impact on iChat's SSL connections. That's what I'm looking for here."

If you have some idea about this conclusion, I'm all ears. Please, though, stop posting troubleshooting suggestions that have already been covered in the thread. It's a waste of my time and yours, and you're hindering rather than helping.

Reply

Answer 11

Jul 5, 2006 12:29 PM in response to JLG89

Hi JlG89,

I understand the frustration that you have.

From my point of view I suggested a check of

and

Just to check they are exactly the same. You assure us that they are but do not comfirm they are in writing.
Note for my GoogleTalk setting the SSL is active. The port is 5223 in this case

I suggested that you check here

To make sure your Firewall settigns are the same. (Mine does not list the three Jabber ports 5220, 5222, 5223) 5223 is used by GoogleTalk and some older Jabber servers.

On the basis you have assured us that the above items are not a feature I have suggested that the ports in the modem and by implictaion the System Preferences > Network settings may differ.

This is likely to be something like the Location setting, which in turn holds info about being logged in from another point, either Wirelessly V Airport/Wirelessly and a different IP locally or it is a mobile computer and you have several Locations set as presets now.

That would then lead us to...
If the Jabber login is not working and these settings are all the same then the com.apple.ichat.Jabber.plist maybe corrupt and need deleting and iChat restarting to create a new one.

You are right, I don't have a direct answer. However I do find from experience that asking people to recheck some items works on a two heads are better than one method and can sometimes trigger something to be thought of that is not directly mentioned or considered.

I find your answers are like a mechanic saying over the phone, " Has it got Fuel ?"
You reply " Yes, of course"
Then when the guy gets there, he finds someone has put diesel in the tank.

Unless you are using Proxies, the above settings are the only ones that I can see that would effect this.

If you have Devleoper Tools you can inspect the .plists in each account (com.apple.ichat.Jabber.plist) and compare the visible items.
The iChat .plist do hold some invisible settings that often do not appear until you change things. As some things can not be changed they stay hidden. Hence the suggestion to delete and restart.

One final thing that occures to me now is to check the Keychain and password for the Jabber account.

FAQ written prior to Jabber but usable http://discussions.apple.com/thread.jspa?threadID=121885

8:29 PM Wednesday; July 5, 2006

Reply

Answer 12

JLG89 Author

Level 1

138 points

Jul 16, 2006 2:07 PM in response to JLG89

Thanks go once again to Ralph for not paying attention and taking up scads of screen real estate with posts that are no help whatsoever. I can't imagine that anyone else is keeping up with this thread, but just in case you are, I want to once again reiterate the focus of my question, Ralph's ramblings notwithstanding.

iChat will not establish an SSL session to a jabber server. The console log shows:

2006-07-16 15:48:03.423 iChatAgent[90] WARNING: SocketStream: CFStream error 3/-9843 occurred on input stream
2006-07-16 15:48:03.423 iChatAgent[90] WARNING: XMLStream: CFStream error 3/-9843 occurred on input
2006-07-16 15:48:03.523 iChatAgent[90] WARNING: JConnection: Error: An unexpected SSL error occured.
[-9843], type=2, code=-9843

And, for Ralph's sake:

Is it an iChat configuration problem? No: The same jabber account, under a different Mac OS X user account, works fine.

Is it a jabber server problem? No: The same jabber account, under the "problem" Mac OS X user account, but with SSL disabled, works fine.

Is it a jabber server configuration issue? No: Other jabber accounts on the same jabber server, with SSL enabled, from the same client machine, work fine.

Is it a Mac OS X firewall configuration issue? No: the Mac OS X firewall is disabled.

Is it a network/router/firewall issue? No: other jabber logins, from another user account on the same client machine, work fine.

Is it a corrupted iChat preferences issue? No: I have deleted every iChat preference file in ~/Library/Preferences and ~/Library/Caches, and every cached settings file in /Library/Caches associated with this user. Rebooted, reconfigured iChat, same problem.

Hasn't Ralph been at all helpful? No, he hasn't. Anybody else care to give it a shot?

Reply

Answer 13

JLG89 Author

Level 1

138 points

Jul 16, 2006 2:26 PM in response to JLG89

To (finally) answer my own question:

Even if you delete all iChat-related keys in your login keychain, it is possible for some jabber-related information to remain--possibly through corrupted keychain data; I'm not sure. Deleting the user's keychain file, logging out and back in, and re-entering passwords etc. seems to have fixed the odd jabber/SSL problem.

Again, just deleting the keys from within the keychain (using Keychain Access) won't do the trick; you have to move the entire keychain file from ~/Library/Keychains to the desktop (or elsewhere), logout/login to create a new keychain, and go to town. If the old keychain contains desperately-needed keys, export them first using Keychain Access, then import them into the new keychain once it's in place.

Reply

Answer 14

Jul 16, 2006 2:48 PM in response to JLG89

Hi JLG89,

The same jabber account, under the "problem" Mac OS X user account, but with SSL disabled, works fine.

Ahh the bit I was trying to point out. Or at least get a definite answer on.

I understand that you have other Jabber accounts that do allow an SSL login. And that they are with the same Jabber server.

You have already tried a .plist delete with no luck.

I do read that you say the Mac Firewall is off... but...
That leaves that account (Mac user) with a firewall setting that misses either 5222 or 5223 depending on the server login port. These settings can vary from Mac user to Mac user.

Or the Jabber account is set to login on the wrong port.

This forum may be able to point where else SSL could be blocked.

I am sorry you do not like my style. It is pedantic and very concrete if I do not think I am getting the answers I am looking for.

I apologise for using this "two heads are better than one approach" if it offends you.

10:48 PM Sunday; July 16, 2006

Reply

Answer 15

Jul 16, 2006 3:07 PM in response to JLG89

Hi JLG89,

Glad to hear you found a solution.

11:08 PM Sunday; July 16, 2006

Reply