Pandion not logging into Wildfire 3.2.0 release

Stuart_Bain · February 7, 2007, 1:11pm

I’'ve just upgraded from Wildfire 3.1.1 to the new Wildfire 3.2.0 release and now my Pandion client is not able to login.

Message trace between Pandion and Wildfire as follows:

EVNT: Connecting to myjabberserver.com

SENT:

Pandion then just sits waiting for a response from the Wildfire server. Spark client connects fine.

Anyone else observing this problem with Pandion 2.5?

Message was edited by: stuartbain

Stuart_Bain · February 7, 2007, 1:23pm

I was able to connect Pandion successfully by forcing it to “Not use Encryption” so I suspect there is a problem with the digital certificates - possibly at the Pandion end because Spark was ok.

Andreas_Vindal · February 7, 2007, 2:14pm

I have this issue as well, haven’‘t tested without encryption yet, but I’'ve reported it on the Pandion forums.

Steve_Davis · February 7, 2007, 4:30pm

I also have this problem and can confirm it goes away by selecting “do not use encryption”. It was all working fine with 3.1.1.

I seem to have 2 self signed certs in wildfire 3.2.0 (rsa & dsa) , it’‘s an internal only server so I’'ve never had the need or the inclination to go and get a proper CA approved cert and have always used the “John Doe” certs.

This is causing me an issue now as I have to roll back to 3.1.1 because I don’'t want to have to talk 20 pandion users through changing client settings to remove encryption.

Signing in with Spark 2.0.8 works fine and we have another 20 of these clients.

Is there a step I’'ve missed in the upgrade from 3.1.1 to 3.2.0? or a way of fixing this?

Is there an easy way of rolling the server back to 3.1.1?

thanks

Steve

jason_johnson1 · February 7, 2007, 5:14pm

I have pandion 2.5 client using port 5223 requiring SSL encryption. It is successful in logging into the very latest Wildfire 3.2 on Red Hat Enterprise 4.

Let me know what info I can provide if any.

Steve_Davis · February 7, 2007, 5:36pm

are you using the built in self-signed certs in Wildfire or are you using 3rd party CA approved certs.??

Not sure it’'s relevant but built in DB or external DB for wildfire.

What Security settings do you have in WIldfire, I currently have both client and server set to optional. With Pandion, I can only connect with it set to No encryption. Set it to USe TLS if available, Require SSL or Require TLS and it doesn’'t connect.

Steve

Steve_Davis · February 7, 2007, 5:45pm

Bit more of an update, if I turn off integrated authentication in Pandion, I can connect via SSL, and looking at the sessions in Wildfire it looks like that is how Spark is connecting (hover the mouse over the padlock and and it says connected via SSL)

Force TLS or set to use TLS if available does not connect. So does this mean it’'s only accepting secure connections on port 5223? Am I right in thinking it should also accept on 5222?

jason_johnson1 · February 7, 2007, 5:46pm

the built-in certs are the ones im using.

i use a mysql DB

i have security settings as Required for both client and server.

How did you do your install of 3.2?

jason_johnson1 · February 7, 2007, 5:52pm

I have always thought of port 5222 as Unsecured and 5223 as secure. Its how I have my users thinking. They know that login is not possible on 5222 because it’'s unsecure.

Remko_Troncon · February 8, 2007, 2:34pm

No, 5223 is the port where clients implementing the old pre-standard protocol connect on to have a secure connection. Wildfire listens for TLS encrypted connections on this port (Legacy SSL). Port 5222 is the ‘‘standard’’ port, where a standards-compliant client always connects to. Initially, it connects without encryption, and immediately negotiates the use of a secure connection, after which it connects securely to that same port.

I’'m not sure what pandion does, but I would assume it only understands the old protocol, which is to connect to port 5223 using encryption only, and to 5222 using non-encrypted connections only.

Stuart_Bain · February 8, 2007, 2:54pm

Thanks for the info about the SSL/TLS negotiation methods.

Pandion supports both the “Old SSL” method using both 5222 and 5223, and the new single port method which used port 5222 only.

The single port method was working with Pandion correctly on Wildfire 3.1.1 (I had disabled the old port 5223 method on the server in the Security Settings). Unfortunately this same configuration appears broken in 3.2.

I wonder if any other clients (apart from Spark) are having the same problem or whether it is only Pandion specific?

I’'ll try a couple and report back my results.

Message was edited by: stuartbain

amarok · February 8, 2007, 3:05pm

I’'m working without change Pandion settings, only deleting builtin certificates

Neutral_Man · February 8, 2007, 6:55pm

I have tried to connect with pandion after deleting certificates, it does not work

what did you do exactly?

Stuart_Bain · February 8, 2007, 7:40pm

Did some quick testing with other Jabber clients using encrypted sessions with Wildfire 3.2:

Spark - OK

Exodus - OK

Coccinella - OK

PSI - OK (using Legacy SSL connection method for Psi 0.10, OK for newer single port method using latest dev version - thanks remko)

Pandion - Fails

Soapbox Communicator 2005 (rebranded Pandion client) - Fails

Message was edited by: stuartbain

Remko_Troncon · February 9, 2007, 8:50am

stuartbrain, what settings did you use to make Psi fail? I have just tried it with Psi 0.10, and had no problems connecting both with and without SSL. Beware, 0.10 still uses legacy SSL connection, so your Wildfire server must listen to this on port 5223.

On a sidenote, the development version of Psi (wich supports STARTTLS (the ‘‘single port’’ method)) connects correctly as well. Maybe something is wrong with the bundled certificates?

Stuart_Bain · February 9, 2007, 10:12am

Ah that would explain why Psi failed for me. I had disabled the Legacy SSL method on the Wildfire server so port 5223 would have been closed. After re-enabling the Legacy SSL method I was able to login using the PSI client. I was also able to login using the newer method with the latest development release of PSI.

Thanks for the explanation remko.

This appears to suggest that the problem is specific to Pandion based clients…

Chernyavsky_Dmitry · February 9, 2007, 11:03am

I have installed clean WF 3.2 with internal database, no LDAP integration - Pandion work fine with TLS and without encryption.

Then i setup a LDAP integration with NormanR SASL-patch - now Pandion work only without TLS.

Something broken in SASL-patch?

John14 · February 9, 2007, 5:38pm

Hey guys in this thread

using widfire 3.2 (integrated database, selfsigned certs) I have a weired problem with Pandion I am stunned with

Using Pandion WITH encryption (require TLS) on the machine on which is wildfire installed I can connect . Connecting from another machine, I can connect, the lock is showing and hovering over shows me TLS BUT it shows me “still connecting…” No roster or contacts.

Someone else has seen this ?

With 3.1.1 just perfectly. In 3.2 deleting the old certs and creating new ones didn’'t help any further.

turbo

Pandion 2.5

Stuart_Bain · February 10, 2007, 2:24pm

Wildfire Devs could you log this as a bug in Jira - or comment/make suggestions on the potential cause/fix for the problem? I think we’'ve probably gone as far as we can as users to identify the problem so some dev input would be most welcome.

Thanks,

Stuart

DeraZ · February 10, 2007, 4:45pm

Hi,

I have this problem in my company since the migration from 3.11 to 3.2.0 (this morning)

The solution i used (because i can’'t change each pandion from Use TSL encryption if available to Require SSL)

was to change in Paramètres de Sécurité

Sécurité de la connexion Client

on personalized with TLS on not dispo and old ssl in dipo.

The result is that my client are now connect without encryption.

Do you have an idea on when we will have a solution?

Thx and good luck