Closed ravermeister closed 6 months ago
Hey there @fabaff, @flowolf, mind taking a look at this issue as it has been labeled with an integration (xmpp
) you are listed as a code owner for? Thanks!
(message by CodeOwnersMention)
xmpp documentation xmpp source (message by IssueLinks)
Maybe an update of the slixmpp version could help, as far as I can tell Hass is using 1.8.4 https://github.com/home-assistant/core/blob/39c44ad5b7b4913c97fa2f3f5dbf8f9a90168e15/requirements_all.txt#L2550
But the latest version is 1.8.5: https://pypi.org/project/slixmpp/
My own bot https://gitlab.rimkus.it/xmpp/xmpp-chatbot/-/blob/fork-master/requirements.txt?ref_type=heads#L1
works fine with this version and latest ejabberd by the way
Hey, will it find it's way to master soon™? Thanks in advance and kind regards Jonny
To follow this ticket.
I have the same problem as OP. Unfortunately updating slixmpp to 1.8.5 in Home Assistant 2024.5.2 did not solve the problem, at least not for me.
However, I think I have found the root of the problem. I wrote a little test application using slixmpp and got the following log output from ejabberd:
2024-05-07 21:49:31.316914+00:00 [info] <0.539.0>@ejabberd_listener:accept/7:344 (<0.787.0>) Accepted connection [::ffff:xxx.xxx.xxx.xxx]:14089 -> [::ffff:xxx.xxx.xxx.xxx]:5222
2024-05-07 21:49:31.455926+00:00 [warning] <0.787.0>@ejabberd_c2s:process_auth_result/3:280 (tls|<0.787.0>) Failed c2s SCRAM-SHA-512-PLUS authentication from ::ffff:xxx.xxx.xxx.xxx: Invalid channel binding
2024-05-07 21:49:31.486751+00:00 [warning] <0.787.0>@ejabberd_c2s:process_auth_result/3:280 (tls|<0.787.0>) Failed c2s SCRAM-SHA-256-PLUS authentication from ::ffff:xxx.xxx.xxx.xxx: Invalid channel binding
2024-05-07 21:49:31.516431+00:00 [warning] <0.787.0>@ejabberd_c2s:process_auth_result/3:280 (tls|<0.787.0>) Failed c2s SCRAM-SHA-1-PLUS authentication from ::ffff:xxx.xxx.xxx.xxx: Invalid channel binding
2024-05-07 21:49:31.678632+00:00 [info] <0.787.0>@ejabberd_c2s:process_auth_result/3:272 (tls|<0.787.0>) Accepted c2s SCRAM-SHA-512 authentication for xx@xxx.xx by mnesia backend from ::ffff:xxx.xxx.xxx.xxx
It seems that slixmpp tries several authentication methods till it finds one that works. But the xmpp component is implemented in a way so that as soon as the first authentication methods fails it disconnects from the server. Therefore, it never finds a working authentication method. And indeed, after removing the call to disconnect() in the callback disconnect_on_login_fail() xmpp works again.
Yes, this is the answer from the ejabberd muc:
In ejabberd.yml
c2s_protocol_options:
- no_tlsv1_3
Though slixmpp 1.8.5 should have fixed this....
Dear all, @home-assistant team, @fabaff, @ravermeister, @matzman666, and all others,
The real problem is that tls-exporter is not supported by Python and it is a security problem!
Linked to:
Comments on original PR and Issues are important to show the security problem...
ejabberd has an excellent security support.
The problem
Hi, after the latest update of ejabberd to 24.02. I can't send notifications via xmpp anymore. In the ejabberd Server logs I see this:
This is the changelog of the recent ejabberd version: https://www.process-one.net/blog/ejabberd-24-02/ There is a new config flag for ejabberd to disable sasl downgrade protection
disable_sasl_scram_downgrade_protection
(and for movim this flag works), see https://docs.ejabberd.im/admin/configuration/toplevel/#disable-sasl-scram-downgrade-protectionWhat version of Home Assistant Core has the issue?
core-2024.3.1
What was the last working version of Home Assistant Core?
No response
What type of installation are you running?
Home Assistant OS
Integration causing the issue
xmpp
Link to integration documentation on our website
https://www.home-assistant.io/integrations/xmpp/
Diagnostics information
No response
Example YAML snippet
Anything in the logs that might be useful for us?
Additional information
No response