search

home-assistant / core

:house_with_garden: Open source home automation that puts local control and privacy first.
https://www.home-assistant.io
Apache License 2.0
72.67k stars 30.42k forks source link

XMPP ejabberd 24.02 login fails with "Invalid channel binding" #113990

Closed ravermeister closed 6 months ago

ravermeister commented 7 months ago

The problem

Hi, after the latest update of ejabberd to 24.02. I can't send notifications via xmpp anymore. In the ejabberd Server logs I see this:

2024-03-22 11:06:27.039243+01:00 [warning] <0.934.0>@ejabberd_c2s:process_auth_result/3:288 (tls|<0.934.0>) Failed c2s SCRAM-SHA-1-PLUS authentication from ::ffff:100.65.83.1: Invalid channel binding

This is the changelog of the recent ejabberd version: https://www.process-one.net/blog/ejabberd-24-02/ There is a new config flag for ejabberd to disable sasl downgrade protection disable_sasl_scram_downgrade_protection (and for movim this flag works), see https://docs.ejabberd.im/admin/configuration/toplevel/#disable-sasl-scram-downgrade-protection

What version of Home Assistant Core has the issue?

core-2024.3.1

What was the last working version of Home Assistant Core?

No response

What type of installation are you running?

Home Assistant OS

Integration causing the issue

xmpp

Link to integration documentation on our website

https://www.home-assistant.io/integrations/xmpp/

Diagnostics information

No response

Example YAML snippet

- name: xmpp_jid_user
  platform: xmpp
  sender: iot@xmpp.domain
  password: iot_jid_password
  recipient:
    - xmpp_user@xmpp.domain

Anything in the logs that might be useful for us?

Logger: homeassistant.components.xmpp.notify
Quelle: components/xmpp/notify.py:370
Integration: xmpp (Dokumentation, Probleme)
Erstmals aufgetreten: 18. März 2024 um 10:54:36 (17 Vorkommnisse)
Zuletzt protokolliert: 10:25:34

Login failed

Additional information

No response

home-assistant[bot] commented 7 months ago

Hey there @fabaff, @flowolf, mind taking a look at this issue as it has been labeled with an integration (xmpp) you are listed as a code owner for? Thanks!

Code owner commands Code owners of `xmpp` can trigger bot actions by commenting: - `@home-assistant close` Closes the issue. - `@home-assistant rename Awesome new title` Renames the issue. - `@home-assistant reopen` Reopen the issue. - `@home-assistant unassign xmpp` Removes the current integration label and assignees on the issue, add the integration domain after the command. - `@home-assistant add-label needs-more-information` Add a label (needs-more-information, problem in dependency, problem in custom component) to the issue. - `@home-assistant remove-label needs-more-information` Remove a label (needs-more-information, problem in dependency, problem in custom component) on the issue.

(message by CodeOwnersMention)

xmpp documentation xmpp source (message by IssueLinks)

ravermeister commented 7 months ago

Maybe an update of the slixmpp version could help, as far as I can tell Hass is using 1.8.4 https://github.com/home-assistant/core/blob/39c44ad5b7b4913c97fa2f3f5dbf8f9a90168e15/requirements_all.txt#L2550

But the latest version is 1.8.5: https://pypi.org/project/slixmpp/

My own bot https://gitlab.rimkus.it/xmpp/xmpp-chatbot/-/blob/fork-master/requirements.txt?ref_type=heads#L1

works fine with this version and latest ejabberd by the way

ravermeister commented 6 months ago

Hey, will it find it's way to master soon™? Thanks in advance and kind regards Jonny

Neustradamus commented 5 months ago

To follow this ticket.

matzman666 commented 5 months ago

I have the same problem as OP. Unfortunately updating slixmpp to 1.8.5 in Home Assistant 2024.5.2 did not solve the problem, at least not for me.

However, I think I have found the root of the problem. I wrote a little test application using slixmpp and got the following log output from ejabberd:

2024-05-07 21:49:31.316914+00:00 [info] <0.539.0>@ejabberd_listener:accept/7:344 (<0.787.0>) Accepted connection [::ffff:xxx.xxx.xxx.xxx]:14089 -> [::ffff:xxx.xxx.xxx.xxx]:5222
2024-05-07 21:49:31.455926+00:00 [warning] <0.787.0>@ejabberd_c2s:process_auth_result/3:280 (tls|<0.787.0>) Failed c2s SCRAM-SHA-512-PLUS authentication from ::ffff:xxx.xxx.xxx.xxx: Invalid channel binding
2024-05-07 21:49:31.486751+00:00 [warning] <0.787.0>@ejabberd_c2s:process_auth_result/3:280 (tls|<0.787.0>) Failed c2s SCRAM-SHA-256-PLUS authentication from ::ffff:xxx.xxx.xxx.xxx: Invalid channel binding
2024-05-07 21:49:31.516431+00:00 [warning] <0.787.0>@ejabberd_c2s:process_auth_result/3:280 (tls|<0.787.0>) Failed c2s SCRAM-SHA-1-PLUS authentication from ::ffff:xxx.xxx.xxx.xxx: Invalid channel binding
2024-05-07 21:49:31.678632+00:00 [info] <0.787.0>@ejabberd_c2s:process_auth_result/3:272 (tls|<0.787.0>) Accepted c2s SCRAM-SHA-512 authentication for xx@xxx.xx by mnesia backend from ::ffff:xxx.xxx.xxx.xxx

It seems that slixmpp tries several authentication methods till it finds one that works. But the xmpp component is implemented in a way so that as soon as the first authentication methods fails it disconnects from the server. Therefore, it never finds a working authentication method. And indeed, after removing the call to disconnect() in the callback disconnect_on_login_fail() xmpp works again.

ravermeister commented 5 months ago

Yes, this is the answer from the ejabberd muc: In ejabberd.yml

c2s_protocol_options:
  - no_tlsv1_3

Though slixmpp 1.8.5 should have fixed this....

Neustradamus commented 5 months ago

Dear all, @home-assistant team, @fabaff, @ravermeister, @matzman666, and all others,

The real problem is that tls-exporter is not supported by Python and it is a security problem!

Linked to:

Comments on original PR and Issues are important to show the security problem...

ejabberd has an excellent security support.