[jadmin] jabberd auth
Simeon Goranov
saiman at thefreeart.com
Fri Oct 19 06:59:29 CDT 2007
Hi again,
I watched jabberd few days and I determinate that every morning, when I
come to work, I can't log in before to restart the server.
Here is the c2s.log file when I try to log in:
-------------------------------------------
c2s.log
-------------------------------------------
Thu Oct 18 11:13:10 2007 [notice] [7] [87.121.18.230, port=47943] connect
Thu Oct 18 11:13:10 2007 [notice] [7] SASL authentication succeeded:
mechanism=DIGEST-MD5; authzid=sgoranov at myservername.com, TL
S negotiated
Thu Oct 18 11:13:10 2007 [notice] [7] bound:
jid=sgoranov at myservername.com/Gajim
Thu Oct 18 11:17:31 2007 [notice] [7] [87.121.18.230, port=47943]
disconnect jid=sgoranov at myservername.com/Gajim, packets: 159
Fri Oct 19 14:12:30 2007 [notice] [7] [87.121.18.230, port=47047] connect
Fri Oct 19 14:12:31 2007 [notice] [7] SASL authentication succeeded:
mechanism=DIGEST-MD5; authzid=sgoranov at myservername.com, TL
S negotiated
Fri Oct 19 14:12:31 2007 [notice] [7] bound:
jid=sgoranov at myservername.com/Gajim
Fri Oct 19 14:12:47 2007 [notice] [7] [87.121.18.230, port=47047]
disconnect jid=sgoranov at myservername.com/Gajim, packets: 8
Fri Oct 19 14:12:56 2007 [notice] [7] [87.121.18.230, port=47049] connect
Fri Oct 19 14:12:57 2007 [notice] [7] SASL authentication succeeded:
mechanism=DIGEST-MD5; authzid=sgoranov at myservername.com, TL
S negotiated
-------------------------------------------
After restart everything is fine, and I can log in/ log out and log in
again without problems until the next morning.
I compile jabberd with debug symbols and here is the part of the
debug.log, when the login is unsuccessful:
-------------------------------------------
debug.log
-------------------------------------------
S2S : Fri Oct 19 14:13:27 2007 main.c:293 checking pending verify
requests for outgoing conn 213.91.165.229/5269
ROUT: sx (io.c:381) queueing for write: <route
xmlns='http://jabberd.jabberstudio.org/ns/component/1.0' to='c2s'
from='isoftp
lus.com'><iq xmlns='jabber:client' type='get' to='c2s'
from='myservername.com' id='ekdekzs7'><query xmlns='http://jabber.org/pro
tocol/disco#info'/></iq></route>
S2S : Fri Oct 19 14:13:27 2007 main.c:291 checking dialback state for
outgoing conn 88.198.198.218/5269
ROUT: sx (io.c:404) tag 7 event 1 data 0x0
S2S : Fri Oct 19 14:13:27 2007 main.c:293 checking pending verify
requests for outgoing conn 88.198.198.218/5269
ROUT: Fri Oct 19 14:13:17 2007 router.c:521 want write
S2S : Fri Oct 19 14:13:27 2007 main.c:308 checking dialback state for
incoming conn 1yatgce3blyzittkrx9qigiztdpdlbnxvax6imhe
ROUT: Fri Oct 19 14:13:17 2007 router.c:872 write action on fd 7
S2S : Fri Oct 19 14:13:27 2007 main.c:308 checking dialback state for
incoming conn x7po2igp3y1h5o6xld2ne17pfwlcse4iy7zqu3l5
ROUT: sx (io.c:303) 7 ready for writing
S2S : Fri Oct 19 14:13:27 2007 main.c:308 checking dialback state for
incoming conn 99ast19yozqzxdx0oyog8x2x38tbdmo3jdp2tnum
ROUT: sx (io.c:261) encoding 242 bytes for writing: <route
xmlns='http://jabberd.jabberstudio.org/ns/component/1.0' to='c2s'
from='myservername.com'><iq xmlns='jabber:client' type='get' to='c2s'
from='myservername.com' id='ekdekzs7'><query xmlns='http://ja
bber.org/protocol/disco#info'/></iq></route>
S2S : sx (error.c:79) prepared error: <stream:error
xmlns:stream='http://etherx.jabber.org/streams'><connection-timeout xmlns
='urn:ietf:params:xml:ns:xmpp-streams'/><text
xmlns='urn:ietf:params:xml:ns:xmpp-streams'>no dialback
initiated</text></strea
m:error>
ROUT: sx (chain.c:79) calling io write chain
S2S : sx (error.c:94) tag 11 event 1 data 0x0
ROUT: sx (ssl.c:268) in _sx_ssl_wio
S2S : Fri Oct 19 14:13:27 2007 in.c:165 want write
ROUT: sx (ssl.c:272) queueing buffer for write
S2S : Fri Oct 19 14:13:27 2007 in.c:83 write action on fd 11
ROUT: sx (ssl.c:288) preparing queued buffer for write
S2S : sx (io.c:303) 11 ready for writing
ROUT: sx (ssl.c:350) prepared 314 ssl bytes for write
S2S : sx (io.c:261) encoding 220 bytes for writing: <stream:error
xmlns:stream='http://etherx.jabber.org/streams'><connection
-timeout xmlns='urn:ietf:params:xml:ns:xmpp-streams'/><text
xmlns='urn:ietf:params:xml:ns:xmpp-streams'>no dialback initiated
</text></stream:error>
ROUT: sx (io.c:324) handing app 314 bytes to write
Maybe the problem is in main.c:308 on S2S ? Any ideas or suggestions
will be helpful.
Thanks in advance !
Simeon Goranov написа:
> Hi all,
> I have really strange problem with jabberd clients authentication. I
> know that jabberd has two ports:
> 5222 and 5223 and it should use 5222 with tls, 5223 is only for old
> clients with ssl support.
> I'm using gajim for testing, with next options: using SSL (old clients)
> - yes, using non standart port (myserver:5223)
> and it's not connected to the server. In c2s.log I have this one:
>
> Sun Oct 7 11:24:10 2007 [notice] [8] bound:
> jid=sgoranov at myservername.com/Gajim
> Sun Oct 7 11:24:10 2007 [notice] [8] requesting session:
> jid=sgoranov at myservername.com/Gajim
> Sun Oct 7 11:24:10 2007 [notice] [8] [91.92.209.25, port=37893]
> disconnect jid=sgoranov at myservername.com/Gajim, packets: 5
> Sun Oct 7 11:24:20 2007 [notice] [8] [91.92.209.25, port=37894] connect
> Sun Oct 7 11:24:20 2007 [notice] [8] SASL authentication succeeded:
> mechanism=DIGEST-MD5; authzid=sgoranov at myservername.com, TL
> S negotiated
> Sun Oct 7 11:24:20 2007 [notice] [8] bound:
> jid=sgoranov at myservername.com/Gajim
> Sun Oct 7 11:24:20 2007 [notice] [8] requesting session:
> jid=sgoranov at myservername.com/Gajim
> Sun Oct 7 11:24:20 2007 [notice] [8] [91.92.209.25, port=37894]
> disconnect jid=sgoranov at myservername.com/Gajim, packets: 5
> Sun Oct 7 11:24:27 2007 [notice] [8] [91.92.209.25, port=37895] connect
> Sun Oct 7 11:24:27 2007 [notice] [8] SASL authentication succeeded:
> mechanism=DIGEST-MD5; authzid=sgoranov at myservername.com, TL
> S negotiated
>
> It's trying to use TLS, instead of SSL - really strange ??! Then I
> change the configuration in gajim: using SSL (old clients) - not chekced,
> using non standart port - not checked. My idea is gajim to connect with
> the server via TLS on the standart port - 5222.
> In c2s.log I have this one:
>
> Sun Oct 7 11:28:15 2007 [notice] [8] SASL authentication succeeded:
> mechanism=DIGEST-MD5; authzid=sgoranov at myservername.com
> Sun Oct 7 11:28:15 2007 [notice] [8] bound:
> jid=sgoranov at myservername.com/Gajim
> Sun Oct 7 11:28:15 2007 [notice] [8] requesting session:
> jid=sgoranov at myservername.com/Gajim
> Sun Oct 7 11:28:15 2007 [notice] [8] [91.92.209.25, port=60083]
> disconnect jid=sgoranov at myservername.com/Gajim, packets: 5
>
> In gajim XML console this one:
>
> .................
>
> <?xml version='1.0'?>
> <stream:stream xmlns="jabber:client" to="myservername.com" version="1.0"
> xmlns:stream="http://etherx.jabber.org/streams" >
>
> <?xml version='1.0'?>
> <stream:stream xmlns:stream='http://etherx.jabber.org/streams'
> xmlns='jabber:client' from='myservername.com' version='1.0'
> id='rdstrxoynrdynyowzzrjnwbvbjlf88tr6w94exvb'>
>
> <stream:features xmlns:stream='http://etherx.jabber.org/streams'>
> <bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'/>
> <session xmlns='urn:ietf:params:xml:ns:xmpp-session'/>
> </stream:features>
>
> <iq type="set" id="105">
> <bind xmlns="urn:ietf:params:xml:ns:xmpp-bind">
> <resource>Gajim</resource>
> </bind>
> </iq>
>
> <iq xmlns='jabber:client' id='105' type='result'>
> <bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'>
> <jid>sgoranov at myservername.com/Gajim</jid>
> </bind>
> </iq>
>
> <iq type="set" id="106">
> <session xmlns="urn:ietf:params:xml:ns:xmpp-session" />
> </iq>
>
> <iq xmlns='jabber:client' id='106' type='result'/>
>
> <iq type="get" id="107">
> <query xmlns="jabber:iq:privacy" />
> </iq>
>
> .................
>
> Then I turn back the previus configuration on gajim: using SSL (old
> clients) - yes, using non standart port (myserver:5223)
> and restarted the jabberd, the result: gajim connects right now -
> without problems, snip from my c2s.log:
>
> Sun Oct 7 11:33:48 2007 [notice] connection to router established
> Sun Oct 7 11:33:48 2007 [notice] [0.0.0.0, port=5222] listening for
> connections
> Sun Oct 7 11:33:48 2007 [notice] [0.0.0.0, port=5223] listening for SSL
> connections
> Sun Oct 7 11:33:48 2007 [notice] ready for connections
> Sun Oct 7 11:33:52 2007 [notice] [8] [91.92.209.25, port=43720] connect
> Sun Oct 7 11:33:52 2007 [notice] [8] SASL authentication succeeded:
> mechanism=DIGEST-MD5; authzid=sgoranov at myservername.com, TL
> S negotiated
> Sun Oct 7 11:33:52 2007 [notice] [8] bound:
> jid=sgoranov at myservername.com/Gajim
> Sun Oct 7 11:33:52 2007 [notice] [8] requesting session:
> jid=sgoranov at myservername.com/Gajim
>
> It's a really strange problem, maybe it's into the client ? I don't know
> - any ideas or experience with something like that ?
> Greetings,
> S.G.
>
> P.S.
> Here is a <local> and <mechanisms> sections from my c2s.xml:
>
> ------------
> <!-- Local network configuration -->
> <local>
>
> <id register-enable='true'>myservername.com</id>
> <!-- or
> <id realm='company'
> pemfile='/usr/local/etc/jabberd/server.pem'
> verify-mode='7'
> require-starttls='true'
> register-enable='true'
> instructions='Enter a username and password to register with
> this server.'
> register-oob='http://example.org/register'
> password-change='true'
> >localhost</id> -->
>
> <!-- IP address to bind to (default: 0.0.0.0) -->
> <ip>0.0.0.0</ip>
>
> <!-- Port to bind to, or 0 to disable unencrypted access to the
> server (default: 5222) -->
> <port>5222</port>
>
> <require-starttls/>
>
> <!-- Older versions of jabberd support encrypted client connections
> via an additional listening socket on port 5223. If you want
> this (required to allow pre-STARTTLS clients to do SSL),
> uncomment this -->
> <ssl-port>5223</ssl-port>
>
> <!-- File containing an SSL certificate and private key for client
> connections. From SSL_CTX_use_certificate_chain_file(3):
> "The certificates must be in PEM format and must be sorted
> starting with the subject's certificate (actual client or server
> certificate), followed by intermediate CA certificates if
> applicable, and ending at the highest level (root) CA"
> (the latter one being optional).
> If this is commented out, clients will not be offered
> the STARTTLS stream extension -->
> <pemfile>/etc/ssl/private/jabber.pem</pemfile>
>
>
> <!-- SSL verify mode - see SSL_CTX_set_verify(3), mode parameter -->
> <!--
> <verify-mode>7</verify-mode>
> -->
>
> <!-- Forward incoming HTTP clients to a real HTTP server -->
> <httpforward>http://www.jabber.org/</httpforward>
> </local>
> ------------
>
> <!-- Available authentication mechanisms -->
> <mechanisms>
>
> <!-- These are the traditional Jabber authentication mechanisms.
> Comment out any that you don't want to be offered to clients.
> Note that if the auth/reg module does not support one of
> these mechanisms, then it will not be offered regardless of
> whether or not it is enabled here. -->
> <traditional>
> <plain/>
> <digest/>
> </traditional>
>
> <!-- SASL authentication mechanisms. Comment out any that you
> don't want to be offered to clients. Again, if the auth/reg
> module does not support one of these mechanisms, then it will
> not be offered. -->
> <sasl>
> <!--
> <plain/>
> -->
>
> <digest-md5/>
>
> <!--
> <anonymous/>
> -->
> </sasl>
>
> </mechanisms>
>
>
> <!-- Additional mechanisms that are also available when the
> connection is encrypted. Ie. when START-TLS had been
> negotiated, or user connected on SSL-wrapped port. -->
> <ssl-mechanisms>
>
> <!-- it's advisable that you disable plain in the above
> <mechanisms/> section -->
> <traditional>
> <plain/>
> <digest/>
> </traditional>
>
> <sasl>
> <digest-md5/>
> <plain/>
> </sasl>
>
> </ssl-mechanisms>
>
> _______________________________________________
> JAdmin mailing list
> JAdmin at jabber.org
> http://mail.jabber.org/mailman/listinfo/jadmin
> FAQ: http://www.jabber.org/about/jadminfaq.shtml
> _______________________________________________
>
More information about the JAdmin
mailing list