[jdev] sasl plain again

Adrian Adrian flashbk2003 at yahoo.com
Mon Apr 17 08:09:00 CDT 2006


Hey, 
  
  I used a packet sniffer as you suggested and sadly I was able to see  all packets, including the ones that came after the server said  "proceed".
  I then used a commercial  im client  and tried to sniff,  and  this one worked as expected.  Everything after "proceed"  was encrypted. 
  
  I don't get it. I wonder if this could be a platform issue (my  application is based on flash player 8 so that's  actionscript  virtual machine)  or if I misunderstood the tls plain  authentication in the first place. 
  
  Here's my full comunication : 
  
  Client:
  <?xml version="1.0"?><flash:stream to="myserver"  xmlns="jabber:client" xmlns:flash="http://www.jabber.com/streams/flash"  version="1.0">
  
  Server:
  <?xml version='1.0' encoding='UTF-8'?><flash:stream  xmlns:flash="http://www.jabber.com/streams/flash"  xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client"  from="myserver" id="77241f23" xml:lang="en"  version="1.0"><stream:features><starttls  xmlns="urn:ietf:params:xml:ns:xmpp-tls"></starttls><mechanisms  xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>CRAM-MD5</mechanism><mechanism>DIGEST-MD5</mechanism><mechanism>PLAIN</mechanism><mechanism>ANONYMOUS</mechanism></mechanisms><auth  xmlns="http://jabber.org/features/iq-auth"/><register  xmlns="http://jabber.org/features/iq-register"/></stream:features>
  
  Client
  <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
  
  Server
  <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
  
  Client
  <?xml version="1.0"?><flash:stream to="myserver"  xmlns="jabber:client" xmlns:flash="http://www.jabber.com/streams/flash"  version="1.0">
  
  Server
   <?xml version='1.0' encoding='UTF-8'?><flash:stream  xmlns:flash="http://www.jabber.com/streams/flash"  xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client"  from="myserver" id="77241f23" xml:lang="en"  version="1.0"><stream:features><starttls  xmlns="urn:ietf:params:xml:ns:xmpp-tls"></starttls><mechanisms  xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>CRAM-MD5</mechanism><mechanism>DIGEST-MD5</mechanism><mechanism>PLAIN</mechanism><mechanism>ANONYMOUS</mechanism></mechanisms><auth  xmlns="http://jabber.org/features/iq-auth"/><register  xmlns="http://jabber.org/features/iq-register"/></stream:features>
  
  Client
   <auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl'mechanism='PLAIN'>[Base64 stuff]</auth>
  
  Server
  <success xmlns="urn:ietf:params:xml:ns:xmpp-sasl"/>
  
  Client
  <?xml version="1.0"?><flash:stream to="myserver"  xmlns="jabber:client" xmlns:flash="http://www.jabber.com/streams/flash"  version="1.0">
  
  Server
  <?xml version='1.0' encoding='UTF-8'?><flash:stream  xmlns:flash="http://www.jabber.com/streams/flash"  xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client"  from="myserver" id="d1eecb8b" xml:lang="en"  version="1.0"><stream:features><starttls  xmlns="urn:ietf:params:xml:ns:xmpp-tls"></starttls><mechanisms  xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>CRAM-MD5</mechanism><mechanism>DIGEST-MD5</mechanism><mechanism>PLAIN</mechanism><mechanism>ANONYMOUS</mechanism></mechanisms><auth  xmlns="http://jabber.org/features/iq-auth"/><register  xmlns="http://jabber.org/features/iq-register"/></stream:features>
  
  Client
  <iq id="log_user_1" type="get"><query  xmlns="jabber:iq:auth"><username>userName</username></query></iq>
  
  Server
  <iq type="result" id="log_user_1"><query  xmlns="jabber:iq:auth"><username>userName</username><password/><digest/><resource/></query></iq>
  
  etc etc
  
What am I doing wrong ? 
  
  Many thanks,
  Adrian. 
  
  
Norman Rasmussen <norman at rasmussen.co.za> wrote:If you're enabling TLS then it's secure as any https connection
(excepting the fact that certs are not checked correctly, etc).

If you're worried, try running tcpdump (or any other packet sniffer),
and check out the data that flows back and forth.  You _should_ see
the initial xml stream, and the starttls request, but after that
everything should look encrypted.

--
- Norman Rasmussen
 - Email: norman at rasmussen.co.za
 - Home page: http://norman.rasmussen.co.za/


		
---------------------------------
Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls.  Great rates starting at 1&cent;/min.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20060417/5378d6bb/attachment-0002.htm>


More information about the JDev mailing list