[jadmin] jabberd auth

Simeon Goranov saiman at thefreeart.com
Sun Oct 7 03:41:59 CDT 2007 

Hi all,
I have really strange problem with jabberd clients authentication. I 
know that jabberd has two ports:
5222 and 5223 and it should use 5222 with tls, 5223 is only for old 
clients with ssl support.
I'm using gajim for testing, with next options: using SSL (old clients) 
- yes, using non standart port (myserver:5223)
and it's not connected to the server. In c2s.log I have this one:

Sun Oct  7 11:24:10 2007 [notice] [8] bound: 
jid=sgoranov at myservername.com/Gajim
Sun Oct  7 11:24:10 2007 [notice] [8] requesting session: 
jid=sgoranov at myservername.com/Gajim
Sun Oct  7 11:24:10 2007 [notice] [8] [91.92.209.25, port=37893] 
disconnect jid=sgoranov at myservername.com/Gajim, packets: 5
Sun Oct  7 11:24:20 2007 [notice] [8] [91.92.209.25, port=37894] connect
Sun Oct  7 11:24:20 2007 [notice] [8] SASL authentication succeeded: 
mechanism=DIGEST-MD5; authzid=sgoranov at myservername.com, TL
S negotiated
Sun Oct  7 11:24:20 2007 [notice] [8] bound: 
jid=sgoranov at myservername.com/Gajim
Sun Oct  7 11:24:20 2007 [notice] [8] requesting session: 
jid=sgoranov at myservername.com/Gajim
Sun Oct  7 11:24:20 2007 [notice] [8] [91.92.209.25, port=37894] 
disconnect jid=sgoranov at myservername.com/Gajim, packets: 5
Sun Oct  7 11:24:27 2007 [notice] [8] [91.92.209.25, port=37895] connect
Sun Oct  7 11:24:27 2007 [notice] [8] SASL authentication succeeded: 
mechanism=DIGEST-MD5; authzid=sgoranov at myservername.com, TL
S negotiated

It's trying to use TLS, instead of SSL - really strange ??! Then I 
change the configuration in gajim: using SSL (old clients) - not chekced,
using non standart port - not checked. My idea is gajim to connect with 
the server via TLS on the standart port - 5222.
In c2s.log I have this one:

Sun Oct  7 11:28:15 2007 [notice] [8] SASL authentication succeeded: 
mechanism=DIGEST-MD5; authzid=sgoranov at myservername.com
Sun Oct  7 11:28:15 2007 [notice] [8] bound: 
jid=sgoranov at myservername.com/Gajim
Sun Oct  7 11:28:15 2007 [notice] [8] requesting session: 
jid=sgoranov at myservername.com/Gajim
Sun Oct  7 11:28:15 2007 [notice] [8] [91.92.209.25, port=60083] 
disconnect jid=sgoranov at myservername.com/Gajim, packets: 5
 
In gajim XML console this one:

.................

<?xml version='1.0'?>
<stream:stream xmlns="jabber:client" to="myservername.com" version="1.0" 
xmlns:stream="http://etherx.jabber.org/streams" >

<?xml version='1.0'?>
<stream:stream xmlns:stream='http://etherx.jabber.org/streams' 
xmlns='jabber:client' from='myservername.com' version='1.0' 
id='rdstrxoynrdynyowzzrjnwbvbjlf88tr6w94exvb'>

<stream:features xmlns:stream='http://etherx.jabber.org/streams'>
<bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'/>
<session xmlns='urn:ietf:params:xml:ns:xmpp-session'/>
</stream:features>

<iq type="set" id="105">
<bind xmlns="urn:ietf:params:xml:ns:xmpp-bind">
<resource>Gajim</resource>
</bind>
</iq>

<iq xmlns='jabber:client' id='105' type='result'>
<bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'>
<jid>sgoranov at myservername.com/Gajim</jid>
</bind>
</iq>

<iq type="set" id="106">
<session xmlns="urn:ietf:params:xml:ns:xmpp-session" />
</iq>

<iq xmlns='jabber:client' id='106' type='result'/>

<iq type="get" id="107">
<query xmlns="jabber:iq:privacy" />
</iq>

.................

Then I turn back the previus configuration on gajim: using SSL (old 
clients) - yes, using non standart port (myserver:5223)
and restarted the jabberd, the result: gajim connects right now - 
without problems, snip  from my c2s.log:

Sun Oct  7 11:33:48 2007 [notice] connection to router established
Sun Oct  7 11:33:48 2007 [notice] [0.0.0.0, port=5222] listening for 
connections
Sun Oct  7 11:33:48 2007 [notice] [0.0.0.0, port=5223] listening for SSL 
connections
Sun Oct  7 11:33:48 2007 [notice] ready for connections
Sun Oct  7 11:33:52 2007 [notice] [8] [91.92.209.25, port=43720] connect
Sun Oct  7 11:33:52 2007 [notice] [8] SASL authentication succeeded: 
mechanism=DIGEST-MD5; authzid=sgoranov at myservername.com, TL
S negotiated
Sun Oct  7 11:33:52 2007 [notice] [8] bound: 
jid=sgoranov at myservername.com/Gajim
Sun Oct  7 11:33:52 2007 [notice] [8] requesting session: 
jid=sgoranov at myservername.com/Gajim

It's a really strange problem, maybe it's into the client ? I don't know 
- any ideas or experience with something like that ?
Greetings,
S.G.

P.S.
Here is a <local> and <mechanisms> sections from my c2s.xml:

------------
  <!-- Local network configuration -->
  <local>

    <id register-enable='true'>myservername.com</id>
    <!-- or
    <id realm='company'
        pemfile='/usr/local/etc/jabberd/server.pem'
        verify-mode='7'
        require-starttls='true'
        register-enable='true'
        instructions='Enter a username and password to register with 
this server.'
        register-oob='http://example.org/register'
        password-change='true'
    >localhost</id> -->

    <!-- IP address to bind to (default: 0.0.0.0) -->
    <ip>0.0.0.0</ip>

    <!-- Port to bind to, or 0 to disable unencrypted access to the
         server (default: 5222) -->
    <port>5222</port>

    <require-starttls/>

    <!-- Older versions of jabberd support encrypted client connections
         via an additional listening socket on port 5223. If you want
         this (required to allow pre-STARTTLS clients to do SSL),
         uncomment this -->
    <ssl-port>5223</ssl-port>

    <!-- File containing an SSL certificate and private key for client
         connections. From SSL_CTX_use_certificate_chain_file(3):
         "The certificates must be in PEM format and must be sorted
         starting with the subject's certificate (actual client or server
         certificate), followed by intermediate CA certificates if
         applicable, and ending at the highest level (root) CA"
         (the latter one being optional).
         If this is commented out, clients will not be offered
         the STARTTLS stream extension -->
    <pemfile>/etc/ssl/private/jabber.pem</pemfile>


    <!-- SSL verify mode - see SSL_CTX_set_verify(3), mode parameter -->
    <!--
    <verify-mode>7</verify-mode>
    -->

    <!-- Forward incoming HTTP clients to a real HTTP server -->
    <httpforward>http://www.jabber.org/</httpforward>
  </local>
------------

    <!-- Available authentication mechanisms -->
    <mechanisms>

      <!-- These are the traditional Jabber authentication mechanisms.
           Comment out any that you don't want to be offered to clients.
           Note that if the auth/reg module does not support one of
           these mechanisms, then it will not be offered regardless of
           whether or not it is enabled here. -->
      <traditional>
        <plain/>
        <digest/>
      </traditional>

      <!-- SASL authentication mechanisms. Comment out any that you
           don't want to be offered to clients. Again, if the auth/reg
           module does not support one of these mechanisms, then it will
           not be offered. -->
      <sasl>
        <!--
        <plain/>
        -->

        <digest-md5/>

        <!--
        <anonymous/>
        -->
      </sasl>

    </mechanisms>


    <!-- Additional mechanisms that are also available when the
         connection is encrypted. Ie. when START-TLS had been
         negotiated, or user connected on SSL-wrapped port. -->
    <ssl-mechanisms>

      <!-- it's advisable that you disable plain in the above
           <mechanisms/> section -->
      <traditional>
        <plain/>
        <digest/>
      </traditional>

      <sasl>
        <digest-md5/>
        <plain/>
      </sasl>

    </ssl-mechanisms>

More information about the JAdmin mailing list