ChatSecure for Android can't connect to self-hosted ejabberd/XMPP server

tomgagdotnet commented 8 years ago

(sorry if the description is imprecise, it's the first time I use GitHub)

I'm running ChatSecure for Android (info.guardianproject.otr.app.im version 14.2.3) and I cannot connect to my self-hosted XMPP server: when I add the account, the side panel shows "Connecting..." but nothing happens and I cannot chat/add buddies.

My phone is a Samsung Galaxy SII (GT-i9100G) running CyanogenMod 10.2-201309-11-NIGHTLY-i9100G (Android 4.3)

My XMPP server is ejabberd 14.07 on Debian Jessie with a certificate issued by Let's Encrypt, and it works well with other clients (e.g. Pidgin) but it has a somewhat strict security policy, so maybe I'm enforcing cipher suites that ChatSecure does not support? Here are some relevant lines extracted from my ejabberd.yml configuration file, follows the full ejabberd.yml file (with minor edits) and some log lines.

Thanks for any help :)

port: 5222 module: ejabberd_c2s protocol_options:

"no_sslv3"
"no_tlsv1"
"cipher_server_preference"

starttls_required: true

access: c2s

ciphers: "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA"

port: 5269 module: ejabberd_s2s_in s2s_use_starttls: required s2s_protocol_options:

"no_sslv3"
"no_tlsv1"
"cipher_server_preference"

s2s_ciphers: "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA"

auth_method: internal

Here is the complete ejabberd.yml file:

ejabberd configuration file ### ###

The parameters used in this configuration file are explained in more detail
in the ejabberd Installation and Operation Guide.
Please consult the Guide in case of doubts, it is included with
your copy of ejabberd, and is also available online at
http://www.process-one.net/en/ejabberd/docs/

The configuration file is written in YAML.
Refer to http://en.wikipedia.org/wiki/YAML for the brief description.
However, ejabberd treats different literals as different types: ###
- unquoted or single-quoted strings. They are called "atoms".
Example: dog, 'Jupiter', '3.14159', YELLOW ###
- numeric literals. Example: 3, -45.0, .0 ###
- quoted or folded strings.
Examples of quoted string: "Lizzard", "orange".
Example of folded string:
> Art thou not Romeo,
and a Montague?

=======
LOGGING

loglevel: Verbosity of log files generated by ejabberd.
0: No ejabberd log at all (not recommended)
1: Critical
2: Error
3: Warning
4: Info
5: Debug ##
loglevel: 4

rotation: Disable ejabberd's internal log rotation, as the Debian package
uses logrotate(8).
log_rotate_size: 0
log_rotate_date: ""

overload protection: If you want to limit the number of messages per second
allowed from error_logger, which is a good idea if you want to avoid a flood
of messages when system is overloaded, you can set a limit.
100 is ejabberd's default.
log_rate_limit: 100

watchdog_admins: Only useful for developers: if an ejabberd process
consumes a lot of memory, send live notifications to these XMPP
accounts. ##
watchdog_admins:
- "bob@example.com"

================
SERVED HOSTNAMES

hosts: Domains served by ejabberd.
You can define one or several, for example:
hosts:
- "example.net"
- "example.com"
- "example.org" ##
hosts:
- "myhost.com"

route_subdomains: Delegate subdomains to other XMPP servers.
For example, if this ejabberd serves example.org and you want
to allow communication with an XMPP server called im.example.org. ##
route_subdomains: s2s

===============
LISTENING PORTS

listen: The ports ejabberd will listen on, which service each is handled
by and what options to start it with. ##
listen:
-
port: 5222
##ip: "::"
ip: "0.0.0.0"
module: ejabberd_c2s ## ## If TLS is compiled in and you installed a SSL ## certificate, specify the full path to the ## file and uncomment this line: ##
certfile: "/etc/ejabberd/ssl/ejabberd.pem" ## starttls: true ## ## Custom OpenSSL options ##
protocol_options:
- "no_sslv3"
- "no_tlsv1"
- "cipher_server_preference"
starttls_required: true
max_stanza_size: 65536
shaper: c2s_shaper
access: c2s
ciphers: "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA"
-
port: 5269
##ip: "::"
ip: "0.0.0.0"
module: ejabberd_s2s_in ## ## ejabberd_service: Interact with external components (transports, ...) ## ## - ## port: 8888 ## module: ejabberd_service ## access: all ## shaper_rule: fast ## ip: "127.0.0.1" ## hosts: ## "icq.example.org": ## password: "secret" ## "sms.example.org": ## password: "secret" ##
    ejabberd_stun: Handles STUN Binding requests ##
    -
    port: 3478
    transport: udp
    module: ejabberd_stun
##
    To handle XML-RPC requests that provide admin credentials: ##
    -
    port: 4560
    module: ejabberd_xmlrpc

-
port: 5280
ip: "::"
module: ejabberd_http
## request_handlers:
## "/pub/archive": mod_http_fileserver
web_admin: true
http_poll: true
http_bind: true
## register: true
captcha: true

s2s_use_starttls: Enable STARTTLS + Dialback for S2S connections.
Allowed values are: false optional required required_trusted
You must specify a certificate file. ##
s2s_use_starttls: required

s2s_certfile: Specify a certificate file. ##
s2s_certfile: "/etc/ejabberd/ssl/ejabberd.pem"

Custom OpenSSL options ##
s2s_protocol_options:
- "no_sslv3"
- "no_tlsv1"
- "cipher_server_preference"
s2s_ciphers: "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA"

domain_certfile: Specify a different certificate for each served hostname. ##
host_config:
"example.org":
domain_certfile: "/path/to/example_org.pem"
"example.com":
domain_certfile: "/path/to/example_com.pem"

S2S whitelist or blacklist ##
Default s2s policy for undefined hosts. ##
s2s_access: s2s

Outgoing S2S options ##
Preferred address families (which to try first) and connect timeout
in milliseconds. ##
outgoing_s2s_families:
- ipv4
- ipv6
outgoing_s2s_timeout: 10000

==============
AUTHENTICATION

auth_method: Method used to authenticate the users.
The default method is the internal.
If you want to use a different method,
comment this line and enable the correct ones. ##
auth_method: internal

Store the plain passwords or hashed for SCRAM:
auth_password_format: plain
auth_password_format: scram ##
Define the FQDN if ejabberd doesn't detect it:
fqdn: "jabber.myhost.com"

Authentication using external script
Make sure the script is executable by ejabberd. ##
auth_method: external
extauth_program: "/path/to/authentication/script"

Authentication using ODBC
Remember to setup a database in the next section. ##
auth_method: odbc

Authentication using PAM ##
auth_method: pam
pam_service: "pamservicename"

Authentication using LDAP ##
auth_method: ldap ##
List of LDAP servers:
ldap_servers:
- "localhost" ##
Encryption of connection to LDAP servers:
ldap_encrypt: none
ldap_encrypt: tls ##
Port to connect to on LDAP servers:
ldap_port: 389
ldap_port: 636 ##
LDAP manager:
ldap_rootdn: "dc=example,dc=com" ##
Password of LDAP manager:
ldap_password: "******" ##
Search base of LDAP directory:
ldap_base: "dc=example,dc=com" ##
LDAP attribute that holds user ID:
ldap_uids:
- "mail": "%u@mail.example.org" ##
LDAP filter:
ldap_filter: "(objectClass=shadowAccount)"

Anonymous login support:
auth_method: anonymous
anonymous_protocol: sasl_anon | login_anon | both
allow_multiple_connections: true | false ##
host_config:
"public.example.org":
auth_method: anonymous
allow_multiple_connections: false
anonymous_protocol: sasl_anon ##
To use both anonymous and internal authentication: ##
host_config:
"public.example.org":
auth_method:
- internal
- anonymous

==============
DATABASE SETUP

ejabberd by default uses the internal Mnesia database,
so you do not necessarily need this section.
This section provides configuration examples in case
you want to use other database backends.
Please consult the ejabberd Guide for details on database creation.

MySQL server: ##
odbc_type: mysql
odbc_server: "server"
odbc_database: "database"
odbc_username: "username"
odbc_password: "password" ##
If you want to specify the port:
odbc_port: 1234

PostgreSQL server: ##
odbc_type: pgsql
odbc_server: "server"
odbc_database: "database"
odbc_username: "username"
odbc_password: "password" ##
If you want to specify the port:
odbc_port: 1234 ##
If you use PostgreSQL, have a large database, and need a
faster but inexact replacement for "select count(*) from users" ##
pgsql_users_number_estimate: true

ODBC compatible or MSSQL server: ##
odbc_type: odbc
odbc_server: "DSN=ejabberd;UID=ejabberd;PWD=ejabberd"

Number of connections to open to the database for each virtual host ##
odbc_pool_size: 10

Interval to make a dummy SQL request to keep the connections to the
database alive. Specify in seconds: for example 28800 means 8 hours ##
odbc_keepalive_interval: undefined

===============
TRAFFIC SHAPERS

shaper: ## ## The "normal" shaper limits traffic speed to 1000 B/s ## normal: 1000

The "fast" shaper limits traffic speed to 50000 B/s ##
fast: 50000

This option specifies the maximum number of elements in the queue
of the FSM. Refer to the documentation for details. ##
max_fsm_queue: 1000

. ====================

' ACCESS CONTROL LISTS

acl: ## ## The 'admin' ACL grants administrative privileges to XMPP accounts. ## You can put here as many accounts as you want. ## admin: user:

"admin": "localhost" ##

Blocked users ## blocked: user:
- "baduser": "example.org"
- "test"
Local users: don't modify this. ## local: user_regexp: ""

More examples of ACLs ##
jabberorg:
server:
- "jabber.org"
aleksey:
user:
- "aleksey": "jabber.ru"
test:
user_regexp: "^test"
user_glob: "test*"

Loopback network ##
loopback:
ip:
- "127.0.0.0/8"

Bad XMPP servers ##
bad_servers:
server:
- "xmpp.zombie.org"
- "xmpp.spam.com"

Define specific ACLs in a virtual host. ##
host_config:
"localhost":
acl:
admin:
user:
- "bob-local": "localhost"

============
ACCESS RULES
access: ## Maximum number of simultaneous sessions allowed for a single user:
max_user_sessions:
all: 10 ## Maximum number of offline messages that users can have:
max_user_offline_messages:
admin: 5000
all: 100 ## This rule allows access only for local users:
local:
local: allow ## Only non-blocked users can use c2s connections:
c2s:
blocked: deny
all: allow ## For C2S connections, all users except admins use the "normal" shaper
c2s_shaper:
admin: none
all: normal ## All S2S connections use the "fast" shaper
s2s_shaper:
all: fast ## Only admins can send announcement messages:
announce:
admin: allow ## Only admins can use the configuration interface:
configure:
admin: allow ## Admins of this server are also admins of the MUC service:
muc_admin:
admin: allow ## Only accounts of the local ejabberd server can create rooms:
muc_create:
local: allow ## All users are allowed to use the MUC service:
muc:
all: allow ## Only accounts on the local ejabberd server can create Pubsub nodes:
pubsub_createnode:
local: allow ## In-band registration allows registration of any possible username. ## To disable in-band registration, replace 'allow' with 'deny'.
register:
all: allow ## Only allow to register from localhost
trusted_network:
loopback: allow ## Do not establish S2S connections with bad servers ## s2s: ## bad_servers: deny ## all: allow

By default the frequency of account registrations from the same IP
is limited to 1 account every 10 minutes. To disable, specify: infinity
registration_timeout: 600

Define specific Access Rules in a virtual host. ##
host_config:
"localhost":
access:
c2s:
admin: allow
all: deny
register:
all: deny

================
DEFAULT LANGUAGE

language: Default language used for server messages. ##
language: "en"

Set a different default language in a virtual host. ##
host_config:
"localhost":
language: "ru"

=======
CAPTCHA

Full path to a script that generates the image. ##
captcha_cmd: "/lib/ejabberd/priv/bin/captcha.sh"

Host for the URL and port where ejabberd listens for CAPTCHA requests. ##
captcha_host: "example.org:5280"

Limit CAPTCHA calls per minute for JID/IP to avoid DoS. ##
captcha_limit: 5

=======
MODULES

Modules enabled in all ejabberd virtual hosts. ##
modules:
mod_adhoc: {}
mod_announce: # recommends mod_adhoc
access: announce
mod_blocking: {} # requires mod_privacy
mod_caps: {}
mod_carboncopy: {}
mod_configure: {} # requires mod_adhoc
mod_disco: {} ## mod_echo: {}
mod_irc: {}
mod_http_bind: {} ## mod_http_fileserver: ## docroot: "/var/www" ## accesslog: "/var/log/ejabberd/access.log"
mod_last: {}
mod_muc: ## host: "conference.HOST"
access: muc
access_create: muc_create
access_persistent: muc_create
access_admin: muc_admin ## mod_muc_log: {}
mod_offline:
access_max_user_messages: max_user_offline_messages
mod_ping: {} ## mod_pres_counter: ## count: 5 ## interval: 60
mod_privacy: {}
mod_private: {} ## mod_proxy65: {}
mod_pubsub:
access_createnode: pubsub_createnode ## reduces resource comsumption, but XEP incompliant
ignore_pep_from_offline: true ## XEP compliant, but increases resource comsumption ## ignore_pep_from_offline: false
last_item_cache: false
plugins:
- "flat"
- "hometree"
- "pep" # pep requires mod_caps
mod_register: ## ## Protect In-Band account registrations with CAPTCHA. ## ## captcha_protected: true ##
    Set the minimum informational entropy for passwords. ##
    password_strength: 32
##
    After successful registration, the user receives
    a message with this subject and body. ##
    welcome_message:
    subject: "Welcome!"
    body: |-
    Hi.
    Welcome to this XMPP server.
##
    When a user registers, send a notification to
    these XMPP accounts. ##
    registration_watchers:
    - "admin1@example.org"
##
    Only clients in the server machine can register accounts ##
    ip_access: trusted_network
##
    Local c2s or remote s2s users cannot register accounts ##
    access_from: deny

access: register
mod_roster: {}
mod_shared_roster: {}
mod_stats: {}
mod_time: {}
mod_vcard: {}
mod_version: {}

Enable modules with custom options in a specific virtual host ##
append_host_config:
"localhost":
modules:
mod_echo:
host: "mirror.localhost"

Local Variables:
mode: yaml
End:
vim: set filetype=yaml tabstop=8

----8<--------8<--------8<--------8<--------8<--------8<--------8<--------8<--------8<--------8<--------8<----

tomgagdotnet commented 8 years ago

This is what I can see from the logs, following is my ChatSecure configuration. My ejabberd server is at mydomain.com with IP 10.0.0.1. I created two users: "test", and "myuser". First I connect with user "test" via my Jabber client (1.1.1.1) and everything works fine:

2016-05-29 12:24:27.769 [info] <0.447.0>@ejabberd_listener:accept:313 (#Port<0.6705>) Accepted connection 1.1.1.1:35199 -> 10.0.0.1:5222 2016-05-29 12:24:28.320 [info] <0.453.0>@ejabberd_c2s:wait_for_feature_request:733 ({socket_state,p1_tls,{tlssock,#Port<0.6705>,#Port<0.6739>},<0.452.0>}) Accepted authentication for test by ejabberd_auth_internal 2016-05-29 12:24:28.517 [info] <0.453.0>@ejabberd_c2s:wait_for_session:1079 ({socket_state,p1_tls,{tlssock,#Port<0.6705>,#Port<0.6739>},<0.452.0>}) Opened session for test@mydomain.com/45[randomdigits]73832743207

Now if I try to connect with "myuser" from Chatsecure, it hangs on "Connecting..." and from the logs I only see this:

2016-05-29 12:25:35.017 [info] <0.447.0>@ejabberd_listener:accept:313 (#Port<0.6742>) Accepted connection 2.2.2.2:49754 -> 10.0.0.1:5222

Of course, if I connect myuser from my other client, it works:

2016-05-29 12:27:02.162 [info] <0.447.0>@ejabberd_listener:accept:313 (#Port<0.6746>) Accepted connection 1.1.1.1:35200 -> 10.0.0.1:5222 2016-05-29 12:27:02.645 [info] <0.458.0>@ejabberd_c2s:wait_for_feature_request:733 ({socket_state,p1_tls,{tlssock,#Port<0.6746>,#Port<0.6748>},<0.457.0>}) Accepted authentication for myuser by ejabberd_auth_internal 2016-05-29 12:27:02.847 [info] <0.458.0>@ejabberd_c2s:wait_for_session:1079 ({socket_state,p1_tls,{tlssock,#Port<0.6746>,#Port<0.6748>},<0.457.0>}) Opened session for myuser@mydomain.com/71[randomdigits]4523783207

My ChatSecure configuration for the "myuser" account:

XMPP Resource: (empty) XMPP Resource Priority: 20 Server Port: TCP Port for XMPP Server Connect Server: (empty) Chat Encryption: Always Require Transport Encryption: [checked] Allow Plain Text Auth: [unchecked] Do SRV Lookup: [checked]

So it looks like there is a problem of authentication, but I really can't understand what I'm doing wrong, my server works with other clients as I said :( any help would be appreciated, thanks!

Ksoft-Technologies commented 6 years ago

https://stackoverflow.com/questions/47452158/ssl-access-to-ejabberd-api/48181071#48181071

guardianproject / ChatSecureAndroid

ChatSecure for Android can't connect to self-hosted ejabberd/XMPP server #746

. ====================

' ACCESS CONTROL LISTS