powered by Jive Software

aSmack SCRAM-SHA-1 SASLMechanism

I have to create a chat for Android that uses XMPP server.

I downloaded and studied the library aSamck and I could see that it is well made and easy to implement, congratulations for the work you are doing.

I have a problem, the server that I’m trying to login after the connection returns me an XML like this:

stream:features

SCRAM-SHA-1

PLAIN

<register xmlns='[http://jabber.org/features/iq-register'/](http://jabber.org/features/iq-register'/)>

<auth xmlns='[http://jabber.org/features/iq-auth'/](http://jabber.org/features/iq-auth'/)>

</stream:features>

By controlling the sources, however, I realized that the comunity you still have not implemented the SCRAM-SHA-1 mechanism

the support of the server they told me that I have to use necessarily SCRAM-SHA-1 mechanism

Could you help me about Thanks

The server also announces that it supports PLAIN, which should be supported by (a)Smack.

hello thanks for the reply but,

the support of the server they told me that I have to use necessarily SCRAM-SHA-1 mechanism

Then ask them, why they advertise PLAIN.

On the one hand SCRAM is the only mandatory mechanism (http://xmpp.org/rfcs/rfc6120.html#security-mti-auth)

but your server also advertises PLAIN, probably because of

http://xmpp.org/rfcs/rfc6120.html#security-mti-bothpass

However, offering TLS plus SASL PLAIN even when the server supports more secure alternatives might be appropriate if the server needs to enable interoperability with an installed base of clients that do not yet support SCRAM or other alternatives that are more secure than TLS plus SASL PLAIN.

On the other hand, I know, that Facebook’s XMPP server (which I believe is ejabberd) advertises PLAIN too, but it won’t work, if you don’t use a TLS secured connection.

Now you can blame Smack, that it doesn’t support a mandatory-to-implement mechanism and at the same time you can blame your server, that it advertises PLAIN, although it (supposedly) doesn’t work.