powered by Jive Software

With PATCH - SASL bug with 2.4.3 -- cannot login

Wildfire 2.4.3 doesn’‘t send a complete set of challenges and responses for SASL auth. I think there’'s a bad assumption that there is only one set of challenge/response, and there can be several. The bug is in src/java/org/jivesoftware/wildfire/net/SASLAuthentication.java.

Here is an example of a bad XML dialog.

XMPP sent: ");

// We only support SASL for c2s

if (session instanceof ClientSession) {

((ClientSession) session).setAuthToken(new AuthToken(username));

Changed subject to include “With PATCH”

Message was edited by: andrewdied

Any comments on this? How do I get someone to take a look? It’'ll be more pronounced when the development moves to the java 1.5 libraries, too.

This isn’‘t an answer but I would be very interested to know if your patch fixes the problems with Net::XMPP and Python client authentication. At the moment Net::XMPP is only useable with Wildfire if you hack the Perl code to always do old style authentication. The SASL authentication fails after the client sends a response. Could the bug you’'ve patched cause this behavior?

Perhaps. I’‘ve heard gajim’‘s (python) sasl implementation isn’‘t very good, but I can login to wildfire with it. I haven’‘t tried perl sasl auth at all. Since the wildfire sasl isn’'t correct, I could definately see it breaking the perl sasl, though.

Hey Andrew,

Just to update this thread. I got your email with the patch and will try to apply it for 2.5.0 version. Will get back to you when the bug fix was applied.


– Gato

Hey Andrew,

The following issue JM-567 was created for this problem. The fix that you sent me was fine and it was included for the next release.


– Gato

This patch was applied to 2.5.0, and works.

I installed 2.5.0 last week to see if the patch Andrew submitted fixed the Perl Net::XMPP problem. It didn’‘t. I haven’'t had time to investigate what the actual problem is since hacking Net::XMPP to always do old style auth work for us right now.

Hey Ward,

Unfortunatelly, the patch included in JM-567 is not related to the DIGEST-MD5 seen with Net::XMPP. I’'m still not sure if Java implementation of the DIGEST-MD5 SASL mechanism is incorrect or if Net::XMPP is sending an incorrect SASL authentication packet. Anyway, there is not much we can do from Wildfire side so using another SASL mechanism or just using the old non-sasl authentication method is the way to go for now.


– Gato