Net::Jabber SSL Connections

Until recently being introduced to Jive Messenger, fantastic server by the way, I was using Jabberd 1.4.x. I wrote a bot using the Perl Net::Jabber library that would connect to my jabber server just like a user and people could send it messages and it would return responses.

After making the switch to Jive Messenger, my jabber bot can no longer connect. I have it trying to connect via SSL, just like on my previous server, but now I get a message like “Ident/Auth failed”. My logs on Jive Messenger look like this…

2005.10.15 15:41:39 SaslException

javax.security.sasl.SaslException: DIGEST-MD5: digest response format violation. Mismatched URI: /; expecting: xmpp/my.server.com

at com.sun.security.sasl.digest.DigestMD5Server.validateClientResponse(Unknown Source)

at com.sun.security.sasl.digest.DigestMD5Server.evaluateResponse(Unknown Source)

at org.jivesoftware.messenger.net.SASLAuthentication.doHandshake(SASLAuthenticatio n.java:187)

at org.jivesoftware.messenger.net.SocketReader.readStream(SocketReader.java:254)

at org.jivesoftware.messenger.net.SocketReader.run(SocketReader.java:114)

at java.lang.Thread.run(Unknown Source)

Has anyone elsed successfully used the Net::Jabber module with Jive Messenger over SSL?

I’'m having the exact same problem, but connecting via port 5222. I can connect to jabberd just fine with the exact same perl script.

Any ideas?

hi there,

i have the same problem … connecting to jabberd worked without any problems.

connecting to wildfire (2.4.2) does not work.

here’'s the log output of the wildfire server:

2006.01.17 16:50:53 SaslException

javax.security.sasl.SaslException: DIGEST-MD5: digest response format violation. Mismatched URI: /; expecting: xmpp/jabber.intra.sskm.de

at com.sun.security.sasl.digest.DigestMD5Server.validateClientResponse(Unknown Source)

at com.sun.security.sasl.digest.DigestMD5Server.evaluateResponse(Unknown Source)

at org.jivesoftware.wildfire.net.SASLAuthentication.doHandshake(SASLAuthentication .java:192)

at org.jivesoftware.wildfire.net.SocketReader.authenticateClient(SocketReader.java :309)

at org.jivesoftware.wildfire.net.SocketReader.readStream(SocketReader.java:270)

at org.jivesoftware.wildfire.net.SocketReader.run(SocketReader.java:119)

at java.lang.Thread.run(Unknown Source)

the output of the perl script can be seen at http://pastebin.com/509985

the used username was “nagios”, password to authenticate also “nagios”

edit:

the thread title is a bit wrong … it does’'nt have to do anything with ssl but sasl

null

i have exactly the same problem. i want to run it with nagios in our company. so if a develpoer or someone has a idea how to handle this…i would be so thankful

a quick check of my pastebin link showed, that the log there has disappeared.

so here’'s the output once again, i hope some of the developers can fix the problem

username: nagios, password: nagios

XML::Stream: new: hostname = (lnx024200202.vz.intra.sskm.de)

XML::Stream: SetCallBacks: tag(node) func(CODE(0xa2d8c58))

XMPP::Conn: SetCallBacks: tag(message) func(CODE(0x9d2b290))

XMPP::Conn: SetCallBacks: tag(presence) func(CODE(0x9d2b230))

XMPP::Conn: SetCallBacks: tag(iq) func(CODE(0x9d2b1d0))

XMPP::Conn: SetDirectXPathCallBacks: xpath(/[@xmlns=“urn:ietf:params:xml:ns:xmpp-tls”]) func(CODE(0xa3d73c0))

XMPP::Conn: SetDirectXPathCallBacks: xpath(/[@xmlns=“urn:ietf:params:xml:ns:xmpp-sasl”]) func(CODE(0xa3d74d4))

XMPP::Conn: Connect: host(jabber.intra.sskm.de:5222) namespace(jabber:client)

XMPP::Conn: Connect: timeout(10)

XML::Stream: Connect: type(tcpip)

XML::Stream: Connect: Got a connection

XML::Stream: Send: ()

XML::Stream: handleroot: sid(newconnection) sax(XML::Stream::Parser=HASH(0xa3dbb8c)) tag(stream:stream) att( xmlns jabber:client xmlns:stream http://etherx.jabber.org/streams version 1.0 from jabber.intra.sskm.de id 7c0179d2 xml:lang en )

XML::Stream: Node: handleelement: sid(newconnection) sax(XML::Stream::Parser=HASH(0xa3dbb8c)) tag(stream:features) att( )

XML::Stream: Node: handleelement: check( -1 )

XML::Stream: Node: handleelement: sid(newconnection) sax(XML::Stream::Parser=HASH(0xa3dbb8c)) tag(starttls) att( xmlns urn:ietf:params:xml:ns:xmpp-tls )

XML::Stream: Node: handleelement: check( 0 )

XML::Stream: Node: handleclose: sid(newconnection) sax(XML::Stream::Parser=HASH(0xa3dbb8c)) tag(starttls)

XML::Stream: Node: handleclose: check( 1 )

XML::Stream: Node: handleclose: check2( 0 )

XML::Stream: Node: handleelement: sid(newconnection) sax(XML::Stream::Parser=HASH(0xa3dbb8c)) tag(mechanisms) att( xmlns urn:ietf:params:xml:ns:xmpp-sasl )XML::Stream: Node: handleelement: check( 0 )

XML::Stream: Node: handleelement: sid(newconnection) sax(XML::Stream::Parser=HASH(0xa3dbb8c)) tag(mechanism) att( )

XML::Stream: Node: handleelement: check( 1 )

XML::Stream: Node: handlecdata: sid(newconnection) sax(XML::Stream::Parser=HASH(0xa3dbb8c)) cdata(CRAM-MD5)

XML::Stream: Node: handlecdata: sax(XML::Stream::Parser=HASH(0xa3dbb8c)) cdata(CRAM-MD5)

XML::Stream: Node: handleclose: sid(newconnection) sax(XML::Stream::Parser=HASH(0xa3dbb8c)) tag(mechanism)

XML::Stream: Node: handleclose: check( 2 )

XML::Stream: Node: handleclose: check2( 1 )

XML::Stream: Node: handleelement: sid(newconnection) sax(XML::Stream::Parser=HASH(0xa3dbb8c)) tag(mechanism) att( )

XML::Stream: Node: handleelement: check( 1 )

XML::Stream: Node: handlecdata: sid(newconnection) sax(XML::Stream::Parser=HASH(0xa3dbb8c)) cdata(DIGEST-MD5)

XML::Stream: Node: handlecdata: sax(XML::Stream::Parser=HASH(0xa3dbb8c)) cdata(DIGEST-MD5)

XML::Stream: Node: handleclose: sid(newconnection) sax(XML::Stream::Parser=HASH(0xa3dbb8c)) tag(mechanism)

XML::Stream: Node: handleclose: check( 2 )

XML::Stream: Node: handleclose: check2( 1 )

XML::Stream: Node: handleelement: sid(newconnection) sax(XML::Stream::Parser=HASH(0xa3dbb8c)) tag(mechanism) att( )

XML::Stream: Node: handleelement: check( 1 )

XML::Stream: Node: handlecdata: sid(newconnection) sax(XML::Stream::Parser=HASH(0xa3dbb8c)) cdata(PLAIN)

XML::Stream: Node: handlecdata: sax(XML::Stream::Parser=HASH(0xa3dbb8c)) cdata(PLAIN)

XML::Stream: Node: handleclose: sid(newconnection) sax(XML::Stream::Parser=HASH(0xa3dbb8c)) tag(mechanism)

XML::Stream: Node: handleclose: check( 2 )

XML::Stream: Node: handleclose: check2( 1 )

XML::Stream: Node: handleclose: sid(newconnection) sax(XML::Stream::Parser=HASH(0xa3dbb8c)) tag(mechanisms)

XML::Stream: Node: handleclose: check( 1 )

XML::Stream: Node: handleclose: check2( 0 )

XML::Stream: Node: handleelement: sid(newconnection) sax(XML::Stream::Parser=HASH(0xa3dbb8c)) tag(register) att( xmlns http://jabber.org/features/iq-register )

XML::Stream: Node: handleelement: check( 0 )

XML::Stream: Node: handleclose: sid(newconnection) sax(XML::Stream::Parser=HASH(0xa3dbb8c)) tag(register)

XML::Stream: Node: handleclose: check( 1 )

XML::Stream: Node: handleclose: check2( 0 )

XML::Stream: Node: handleclose: sid(newconnection) sax(XML::Stream::Parser=HASH(0xa3dbb8c)) tag(stream:features)

XML::Stream: Node: handleclose: check( 0 )

XML::Stream: Node: handleclose: check2( -1 )

XMPP::Conn: Connect: connection made

XML::Stream: SetCallBacks: tag(node) func(CODE(0xa3d8ecc))

XMPP::Conn: AuthSASL: shiney new auth

XML::Stream: Send: ()

XML::Stream: Node: handleelement: sid(7c0179d2) sax(XML::Stream::Parser=HASH(0xa3dbb8c)) tag(challenge) att( xmlns urn:ietf:params:xml:ns:xmpp-sasl )

XML::Stream: Node: handleelement: check( -1 )

XML::Stream: Node: handlecdata: sid(7c0179d2) sax(XML::Stream::Parser=HASH(0xa3dbb8c)) cdata(cmVhbG09ImphYmJlci5pbnRyYS5zc2ttLmRlIixub25jZT0iSDJrd1BNWlRKekNCaGEyRmtoc zdUczFwSGtEL2lyd2NTd1Avd1doYiIscW9wPSJhdXRoIixjaGFyc2V0PSJ1dGYtOCIsYWxnb3JpdGhtP SJtZDUtc2VzcyI=)

XML::Stream: Node: handlecdata: sax(XML::Stream::Parser=HASH(0xa3dbb8c)) cdata(cmVhbG09ImphYmJlci5pbnRyYS5zc2ttLmRlIixub25jZT0iSDJrd1BNWlRKekNCaGEyRmtoc zdUczFwSGtEL2lyd2NTd1Avd1doYiIscW9wPSJhdXRoIixjaGFyc2V0PSJ1dGYtOCIsYWxnb3JpdGhtP SJtZDUtc2VzcyI=)

XML::Stream: Node: handleclose: sid(7c0179d2) sax(XML::Stream::Parser=HASH(0xa3dbb8c)) tag(challenge)

XML::Stream: Node: handleclose: check( 0 )

XML::Stream: Node: handleclose: check2( -1 )

XML::Stream: Send: ()

XML::Stream: Node: handleelement: sid(7c0179d2) sax(XML::Stream::Parser=HASH(0xa3dbb8c)) tag(failure) att( xmlns urn:ietf:params:xml:ns:xmpp-sasl )

XML::Stream: Node: handleelement: check( -1 )

XML::Stream: Node: handleelement: sid(7c0179d2) sax(XML::Stream::Parser=HASH(0xa3dbb8c)) tag(not-authorized) att( )

XML::Stream: Node: handleelement: check( 0 )

XML::Stream: Node: handleclose: sid(7c0179d2) sax(XML::Stream::Parser=HASH(0xa3dbb8c)) tag(not-authorized)

XML::Stream: Node: handleclose: check( 1 )

XML::Stream: Node: handleclose: check2( 0 )

XML::Stream: Node: handleclose: sid(7c0179d2) sax(XML::Stream::Parser=HASH(0xa3dbb8c)) tag(failure)

XML::Stream: Node: handleclose: check( 0 )

XML::Stream: Node: handleclose: check2( -1 )

XML::Stream: Process: block(0)

XMPP::Conn: AuthSASL: Authentication failed.

Ident/Auth with server failed: error - not-authorized

/code

Hey guys,

I’'m not a security expert but after googling around I think that the error reported by the server explains the reason of the problem. The digest-uri included in the response is incorrect. According to http://www.ietf.org/rfc/rfc2831.txt the digest-uri included in the response (to the challenge) should be the server name. In the error you can see the expected value so I would recommend trying sending that value.

Hope that helps,

– Gato

i tried to put a “xmpp/” before the server name in the script with no success…mhhh…this just is with wildfire…does someone else has a good idea? but thank you already

hehe… i have just gone wild by simply commented Net::XMPP::Protocol.pm line 1772 to disable SASL.

Anyone knows more elegant solution?

i will try that after lunch

Edit: yeah it worked thats what i wanted to read. even if this is quick and dirty but it works fine. thank you.

Message was edited by:

mpreuss

Commenting out line 1772 of Net::XMPP::Protocol.pm worked for me as well.

This is a short term solution at best. It looks like either the Authen::SASL module that Net::XMPP uses isn’‘t constructing the SASL response properly or the Java SASL implementation isn’‘t accepting a valid response. If I get some time on the weekend I’‘ll add some debug statements to Net::XMPP to see what it’‘s putting in the response. There’‘s a lot of traffic on the Java Bug Parade regarding their SASL implementation but I haven’'t seen this particular problem addressed.

Instead of commenting out line 1772 as others suggested one can just replace AuthSend() with AuthIQAuth(). A look at the module Net::XMPP::Protocol.pm shows that if SASL isn’‘t supported by th server it’'s what gets called (which is what was forced when people commented out line 1772).

This would be a nicer way of getting the old Authentication without SASL.

-Torawk

Thanks Torawk - this works nicely for me!

Mark