[jdev] Seeking jabber implementers for SCRAM-SHA-1 testing

Simon Josefsson simon at josefsson.org
Tue Nov 3 09:58:34 CST 2009

Dave Cridland <dave at cridland.net> writes:

>> > So in the short term, I can spin that up against whatever concrete
>> > server you have that'll use SCRAM-SHA-1, I think. I believe it'll
>> do
>> > at least some forms of channel binding, too.
>> I have a public IMAP test server up and running with SCRAM-SHA-1
>> support.  No channel binding support yet.  Host
>> nubb.josefsson.org',
>> username 'user' and password 'pencil'.   See:
> Excellent, I'll point my client at that and see what happens.

gnu-imap4d[28183]: recv: AUTH AUTHENTICATE SCRAM-SHA-1 
gnu-imap4d[28183]: sent: +  
gnu-imap4d[28183]: recv: biwsbj11c2VyLHI9Mzc5NTQyMjI2OTE2 
gnu-imap4d[28183]: sent: + cj0zNzk1NDIyMjY5MTZ0K3dlNWpjQmVPUHBaVEo4OU0scz1SRHNLRnhLalNpYTlDYkVPLGk9NDA5Ng== 
gnu-imap4d[28183]: recv: cj0zNzk1NDIyMjY5MTZ0K3dlNWpjQmVPUHBaVEo4OU0sYz1iZz09LHA9L0tQQ0hSa3BxdDBEK2NiTXA5Q3dzbXBDZXMwPQ== 
gnu-imap4d[28183]: GSASL error: SASL mechanism could not parse input
gnu-imap4d[28183]: sent: AUTH NO AUTHENTICATE SCRAM-SHA-1 authentication failed 

As far as I can tell, your client-final message is broken.  B64-decoded
your message was:


However the spec says that c value needs to be first:

   channel-binding = "c=" base64
                     ;; base64 encoding of cbind-input

   client-final-message-without-proof =
                     channel-binding "," nonce [","

   client-final-message =
                     client-final-message-without-proof "," proof

So hopefully it is Just A Small Matter of, err, reordering the fields
and things will work.  Hopefully.


More information about the JDev mailing list