search

headcounter / deployment

NixOps deployment
Other
32 stars 5 forks source link

Fix connection problems with some clients #18

Closed aszlig closed 9 years ago

aszlig commented 9 years ago

I'm not yet sure why they're unable to connect, but clients such as Adium or Gajim (the latter only on Windows) even in recent versions are unable to connect.

Gajim on Windows even tries to authenticate without doing STARTTLS first, but haven't yet been able to debug why this is happening (debugging Gajim on Windows seems to be quite annoying).

ShinIce commented 9 years ago

Debian Sid, gajim 0.16-1

< !-- Out Fr 04 Sep 2015 18:16:52 CEST -- > < ?xml version='1.0'? > < stream:stream xmlns="jabber:client" to="aszlig.net" version="1.0" xmlns:stream="http://etherx.jabber.org/streams" xml:lang="de" >

< !-- In Fr 04 Sep 2015 18:16:52 CEST --> < ?xml version='1.0'?> < stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' id='1845464223' from='aszlig.net' version='1.0' xml:lang='en'> < stream:features> < starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'> < required/> < /starttls> < /stream:features>

< !-- Out Fr 04 Sep 2015 18:16:52 CEST --> < starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>

< !-- In Fr 04 Sep 2015 18:16:52 CEST --> < proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>

< !-- Out Fr 04 Sep 2015 18:16:52 CEST --> < ?xml version='1.0'?> < stream:stream xmlns="jabber:client" to="aszlig.net" version="1.0" xmlns:stream="http://etherx.jabber.org/streams" xml:lang="de" >

< !-- In Fr 04 Sep 2015 18:16:52 CEST --> < ?xml version='1.0'?> < stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' id='1015844473' from='aszlig.net' version='1.0' xml:lang='en'>

< !-- In Fr 04 Sep 2015 18:16:52 CEST --> < stream:features> < mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> < mechanism>PLAIN < mechanism>DIGEST-MD5 < mechanism>SCRAM-SHA-1 < /mechanisms> < register xmlns='http://jabber.org/features/iq-register'/> < amp xmlns='http://jabber.org/feature/amp'/> < sm xmlns='urn:xmpp:sm:3'/> < /stream:features>

< !-- Out Fr 04 Sep 2015 18:16:52 CEST --> < auth xmlns="urn:ietf:params:xml:ns:xmpp-sasl" mechanism="SCRAM-SHA-1">----

< !-- In Fr 04 Sep 2015 18:16:52 CEST --> < challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>----

< !-- Out Fr 04 Sep 2015 18:16:52 CEST --> < response xmlns="urn:ietf:params:xml:ns:xmpp-sasl">----

< !-- In Fr 04 Sep 2015 18:16:53 CEST --> < success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>----

< !-- Out Fr 04 Sep 2015 18:16:53 CEST --> < ?xml version='1.0'?> < stream:stream xmlns="jabber:client" to="aszlig.net" version="1.0" xmlns:stream="http://etherx.jabber.org/streams" xml:lang="de" >

< !-- In Fr 04 Sep 2015 18:16:53 CEST --> < ?xml version='1.0'?> < stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' id='3512955540' from='aszlig.net' version='1.0' xml:lang='en'>

< !-- In Fr 04 Sep 2015 18:16:53 CEST --> < stream:features> < bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'/> < session xmlns='urn:ietf:params:xml:ns:xmpp-session'/> < ver xmlns='urn:xmpp:features:rosterver'/> < register xmlns='http://jabber.org/features/iq-register'/> < amp xmlns='http://jabber.org/feature/amp'/> < sm xmlns='urn:xmpp:sm:3'/> < /stream:features>

< !-- Out Fr 04 Sep 2015 18:16:53 CEST --> < iq type="set" id="6"> < bind xmlns="urn:ietf:params:xml:ns:xmpp-bind"> < resource>ZYX < /bind> < /iq>

< !-- In Fr 04 Sep 2015 18:16:53 CEST --> < iq id='6' type='result'> < bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'> < jid>XYZ@aszlig.net/ZYX < /bind> < /iq>

< !-- Out Fr 04 Sep 2015 18:16:53 CEST --> < iq type="set" id="7"> < session xmlns="urn:ietf:params:xml:ns:xmpp-session" /> < /iq>

< !-- In Fr 04 Sep 2015 18:16:53 CEST --> < iq type='result' id='7'> < session xmlns='urn:ietf:params:xml:ns:xmpp-session'/> < /iq>

< !-- Out Fr 04 Sep 2015 18:16:53 CEST --> < iq xmlns="jabber:client" type="get" id="8"> < pref xmlns="urn:xmpp:archive" /> < /iq>

< !-- Out Fr 04 Sep 2015 18:16:53 CEST --> < iq xmlns="jabber:client" to="aszlig.net" type="get" id="Gajim_9"> < query xmlns="http://jabber.org/protocol/disco#info" /> < /iq>

aszlig commented 9 years ago

@ShinIce: Does the client just stall after that?

ShinIce commented 9 years ago

@aszlig jupp

aszlig commented 9 years ago

Hm, might then be related to #14, what's the issue with Adium?

aszlig commented 9 years ago

Also, can you get ldd information from the Adium binary? For example which SSL library and version it is using?

aszlig commented 9 years ago

Okay, Gajim for Windows seems to come with OpenSSL version 0.9.8l, so no wonder it has trouble with our cipher suite.

ShinIce commented 9 years ago

Adium does not enable xml console if the account is not connected. OpenSSL version on 10.10.5 is 0.9.8zg 14 July 2015

aszlig commented 9 years ago

Output of openssl ciphers -v for OpenSSL 0.9.8l with our current cipher suite:

ECDH-ECDSA-AES256-SHA   SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDH-RSA-AES256-SHA     SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
aszlig commented 9 years ago

And that's the same output as with OpenSSL 0.9.8zg:

ECDH-ECDSA-AES256-SHA   SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDH-RSA-AES256-SHA     SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
aszlig commented 9 years ago

Okay, those do not seem to be supported in TLS, see http://marc.info/?l=openssl-users&m=132065751332665.

aszlig commented 9 years ago

@ShinIce: Please confirm whether Adium is now working for you.

ShinIce commented 9 years ago

@aszlig no difference.

aszlig commented 9 years ago

@ShinIce: Does the following command work for you?

openssl s_client -connect headcounter.org:5222 -starttls xmpp
aszlig commented 9 years ago

Also, if it works, please paste the section under "SSL-Session".

ShinIce commented 9 years ago

SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: Session-ID-ctx: Master-Key: BBB325DAC1395A825AEF8D4ACE77C0222B355BACCF60373C647C0199F0510D0DB730F50ED4B92E55CAA2DBA0D3A79D9A Key-Arg : None Start Time: 1441633106 Timeout : 300 (sec) Verify return code: 0 (ok)

aszlig commented 9 years ago

@ShinIce: Okay, that seems to be fine, so your problem seems to be unrelated to this. Maybe check your connection settings (be sure that there are no static IP addresses or hosts in it)?

aszlig commented 9 years ago

Also, what's the exact error message Adium displays on connect?

aszlig commented 9 years ago

Okay, Gajim on Windows now works.

ShinIce commented 9 years ago

@aszlig no static IPs, Proxys or anything related. Adium doesn't show any error, only "connecting" like my gajim

aszlig commented 9 years ago

Okay, problem indeed has been unrelated and the fix for this issue has been confirmed by another Adium user.