This is not so much an error, other than that authentication is failing. Try authenticating with the same username/password using a regular XMPP client, and see if Openfire accepts that.
Yup, it seem pretty obviously a credential issue, but the same username and password works fine in Psi. Could it be a mismatch in the format of the hashed credential string? For instance, could phpBB be hashing local-part@domain-part:password, but Openfire is expecting the hash of a different format credential string?
The SASL DIGEST-MD5 mechanism is well defined. I can’t imagine that Openfire has this wrong, as it has been used by many clients of many different vendors for almost two decades. I am not familiar with PHPBBs implementation. Maybe something is off there?
I guess it could be a bug in phpBB, but I’d think I’d be seeing many more posts with similar issues cropping up in other implementation pairs. So far this particular issue seems to have a nexus with phpBB and OpenFire.
Is clock synchronization required for DIGEST-MD5? The peer clocks are within 1 second but they are set in different TZ (one in UTC and other in PDT).
No joy. I found the place in the php code where the quotes are added and modified the code to pass the parameter as charset=utf-8 without quotes. Same result.
I can’t immediately spot a problem with that decoded test that phpbb sends. It looks close to what I get when logging in with Smack, forcing DIGEST-MD5.
You can try this code to see exactly what Smack does. Maybe that’ll give you an idea:
import org.jivesoftware.smack.ConnectionConfiguration;
import org.jivesoftware.smack.SmackConfiguration;
import org.jivesoftware.smack.tcp.XMPPTCPConnection;
import org.jivesoftware.smack.tcp.XMPPTCPConnectionConfiguration;
import java.time.Duration;
public class DebugClient
{
public static void main( String[] args ) throws Exception
{
// Make stanzas be printed to std-out.
SmackConfiguration.DEBUG = true;
final XMPPTCPConnectionConfiguration.Builder builder = XMPPTCPConnectionConfiguration.builder()
.setXmppDomain("example.org")
.setHost("host.example.org")
.setUsernameAndPassword("username", "password")
.addEnabledSaslMechanism("DIGEST-MD5")
.setSecurityMode(ConnectionConfiguration.SecurityMode.disabled);
final XMPPTCPConnection connection = new XMPPTCPConnection(builder.build());
try
{
connection.connect();
connection.login();
Thread.sleep(Duration.ofSeconds(2).toMillis());
}
finally
{
connection.disconnect();
}
}
}
My confidence in the currency of this piece of the phpBB code has withered after further testing and code review yesterday. I did a code review of the module as well as pcap comparisons of the auth exchange between Psi and phpBB and see numerous differences in implementation.
I tried to test the integration against three other public XMPP server implementations and none would accept the auth exchange from phpBB. Two failed because they only support connections to port 5222 and require TLS, and the phpBB code does not support STARTTLS. The other accepted 5223 but negotiated PLAIN and the phpBB code failed even with plaintext-over-secure-channel.
I even rewrote the entire section of the phpBB code that generates the response token, following the pseudocode in the article you provided.
DIGEST-MD5 is obsolete…it is clear this integration hasn’t been updated in a long time. I doubt this feature of phpBB is in widespread use among the user base.
Guus, thanks very much for your help with this. Mike