So, I investigated the federation troubles a bit:
Some client and/or servers use elliptic curve cryptography which we didn't
support due to a bug in OpenJDK . I applied the workaround suggested
there and now at least the logs are almost quiet. I also created an account
at comm.unicate.me and was able to authorize my jit.si account.
Openfire still complains from time to time about invalid packets received in
dialback responses (see the attachment). I'd say this is because ejabberd
tries to establish a TLS connection to deliver the dialback results. Bug
OF-443 (the SSL port number, how ironic) seems to be related .
I'm not sure whether Openfire chockes on this or just warns and some higher
level processes the result anyway. If anyone has a clue about dialback
validation in combination with STARTTLS, please step out.
I can't diagnose any further on jit.si without restarting the server a
couple of times more, and I apologize for the two restarts this evening.
Summarizing, I don't think we have something wrong in our configuration
(anymore). If it works for you now, it was the OpenJDK bug, if it still
doesn't work, I'm starting to blame either Openfire or ejabberd.
fed-logs.txt (3.4 KB)