Open stevemolloy opened 7 months ago
jubalh
commented
7 months ago 2024-04-10T12:11:35.626574+02: tls: DBG: error=SSL_ERROR_SSL(1) errno=0 lasterror=0 2024-04-10T12:11:35.626597+02: tls: DBG: error:0A000410:SSL routines::ssl/tls alert handshake failure 2024-04-10T12:11:35.628694+02: conn: DBG: Couldn't start TLS! error -3 tls_error 1
Which libstrophe version are you running. Do you have a stack trace? Which server software/version?
stevemolloy
commented
7 months ago Which libstrophe version are you running.
libstrophe 1:0.13.1-1
Do you have a stack trace?
I have a core dump, and poking around it with GDB I see the following:
(No debugging symbols found in /usr/bin/profanity)
[New LWP 7954]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
Core was generated by `profanity'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000075f71bac2685 in ?? () from /usr/lib/libstrophe.so.0
(gdb) bt
#0 0x000075f71bac2685 in ??? () at /usr/lib/libstrophe.so.0
#1 0x000075f71bab859a in xmpp_run_once () at /usr/lib/libstrophe.so.0
#2 0x00005fedb0267aec in session_process_events ()
#3 0x00005fedb02685f8 in prof_run ()
#4 0x00005fedb025c249 in main ()Which server software/version?
I am not sure how to find this info.
jubalh
commented
7 months ago Thanks for the additional info!
I am not sure how to find this info.
/serversoftware myserver.org
sjaeckel
commented
7 months ago Could you please
Does the segfault happen with 0.12.2 as well?
Which OpenSSL version do you have installed?
If you don't want to upload the captures here, please send them in via Mail or get in contact to determine how we could get access.
stevemolloy
commented
7 months ago 1. create a wireshark capture of the connection attempt
Done. Is there an email address I could send this to? I'd rather not have it public.
2. downgrade libstrophe to 0.12.2 and try again. If it segfaults, please do another capture
It no longer segfaults, but logging in does not work. I am sure I am entering the correct password, but I get "login failed". Here is the debug log:
2024-04-10T15:26:45.165303+02: prof: INF: Starting Profanity (0.14.0)…
2024-04-10T15:26:45.165394+02: prof: INF: Initialising chat logs
2024-04-10T15:26:45.165424+02: prof: INF: Initialising groupchat logs
2024-04-10T15:26:45.165447+02: prof: INF: Loading accounts
2024-04-10T15:26:45.165595+02: prof: INF: Initialising UI
2024-04-10T15:26:45.177884+02: prof: INF: Initialising XMPP
2024-04-10T15:26:45.180258+02: prof: INF: Loading capabilities cache
2024-04-10T15:26:45.180473+02: prof: INF: Initialising commands
2024-04-10T15:26:45.192105+02: prof: INF: Initialising contact list
2024-04-10T15:26:45.192124+02: prof: INF: Loading TLS certificates
2024-04-10T15:26:45.192159+02: prof: INF: Initialising OTR
2024-04-10T15:26:45.192226+02: prof: DBG: GPG: Found gpgme version: 1.23.2
2024-04-10T15:26:45.221164+02: prof: INF: [OMEMO] initialising
2024-04-10T15:26:45.253144+02: prof: DBG: Resizing UI
2024-04-10T15:26:45.256174+02: prof: DBG: Input received: /connect username@jabber.myserver.url
2024-04-10T15:26:57.308595+02: prof: INF: Connecting using account: username@jabber.myserver.url
2024-04-10T15:26:57.308674+02: prof: INF: Connecting as username@jabber.myserver.url/profanity.qzcH
2024-04-10T15:26:57.308705+02: prof: DBG: Connecting with flags (0x2):
2024-04-10T15:26:57.308716+02: prof: DBG: XMPP_CONN_FLAG_MANDATORY_TLS
2024-04-10T15:26:57.645602+02: xmpp: DBG: SRV lookup failed, connecting via domain.
2024-04-10T15:26:57.657997+02: xmpp: DBG: sock_connect() to jabber.myserver.url:5222 returned 7
2024-04-10T15:26:57.658233+02: xmpp: DBG: Attempting to connect to jabber.myserver.url
2024-04-10T15:26:57.658604+02: prof: INF: Starting main event loop
2024-04-10T15:26:57.661893+02: xmpp: DBG: connection successful
2024-04-10T15:26:57.662248+02: conn: DBG: SENT: <?xml version="1.0"?><stream:stream to="jabber.myserver.url" xml:lang="en" version="1.0" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams">
2024-04-10T15:26:57.666664+02: xmpp: DBG: RECV: <stream:stream from="jabber.myserver.url" id="4dkd4h3jtx" lang="en" version="1.0">
2024-04-10T15:26:57.668288+02: xmpp: DBG: RECV: <features xmlns="http://etherx.jabber.org/streams"><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required/></starttls><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>PLAIN</mechanism><mechanism>GSSAPI</mechanism><mechanism>NTLM</mechanism></mechanisms></features>
2024-04-10T15:26:57.686493+02: conn: DBG: SENT: <starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
2024-04-10T15:26:57.802169+02: xmpp: DBG: RECV: <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
2024-04-10T15:26:57.802293+02: xmpp: DBG: handle proceedtls called for proceed
2024-04-10T15:26:57.802321+02: xmpp: DBG: proceeding with TLS
2024-04-10T15:26:57.953157+02: tls: DBG: Certificate verification passed
2024-04-10T15:26:57.953297+02: tls: DBG: Certificate was not presented by peer
2024-04-10T15:26:57.953331+02: tls: DBG: error=SSL_ERROR_SSL(1) errno=0 lasterror=0
2024-04-10T15:26:57.953365+02: tls: DBG: error:0A000410:SSL routines::ssl/tls alert handshake failure
2024-04-10T15:26:57.955586+02: conn: DBG: Couldn't start TLS! error -3 tls_error 1
2024-04-10T15:26:57.966301+02: conn: DBG: SENT: </stream:stream>
2024-04-10T15:26:57.966373+02: xmpp: DBG: Send error occurred, disconnecting.
2024-04-10T15:26:57.966391+02: xmpp: DBG: Closing socket.
2024-04-10T15:26:57.966431+02: prof: DBG: Connection handler: XMPP_CONN_DISCONNECT
2024-04-10T15:26:57.966446+02: prof: DBG: Connection handler: Login failed
2024-04-10T15:26:57.966459+02: prof: DBG: Connection handler: No reconnect timer
2024-04-10T15:26:57.966543+02: prof: INF: Login failed
2024-04-10T15:27:02.076612+02: prof: DBG: Input received: /quit
2024-04-10T15:27:02.076698+02: prof: INF: Profanity is shutting down…Which OpenSSL version do you have installed?
3.2.1-1
stevemolloy
commented
7 months ago Thanks for the additional info!
I am not sure how to find this info.
/serversoftware myserver.org
Not sure how to do this if I cannot connect. Or am I misunderstanding something?
jubalh
commented
7 months ago Not sure how to do this if I cannot connect. Or am I misunderstanding something?
Hehe :) That was pretty dumb of me :) You are right of course. You could connect with another account (if you have one) and still query the other server. Or ask your admin for the info.
You could also mention the domain to us when you send us the email, and we check ourselves.
sjaeckel
commented
7 months ago You can send it to the e-mail address mentioned on my GH profile. PGP key ID is 7B24BC73AFEEFA69A5BDE9C53FAA94B3BD9016D9
It no longer segfaults, but logging in does not work. I am sure I am entering the correct password, but I get "login failed".
Thanks, so the segfault is caused by the changes of 0.13, I'll have a look at that.
The problem seems to be TLS connection related, but I'm not exactly sure yet what happens.
sjaeckel
commented
7 months ago Could you maybe try out libstrophe from this branch https://github.com/strophe/libstrophe/tree/some-fixes ?
This should at least not segfault anymore.
Also you should then be able to set the SSLKEYLOGFILE environment variable, so we could look into the TLS session if required.
sjaeckel
commented
7 months ago Looking at the capture you provided I'm not sure whether we can do anything here.
STARTTLSSTARTTLS is negotiatedClient Hello the connection is closed from the server side with a Handshake Failure alertI'd say you have to get in contact with your server administrator to debug this further.
Which software is running on that server? It seems to be only reachable in your private network. Did profanity work with that server before? Did you recently update openssl?
I'm curious on how this evolves :)
stevemolloy
commented
7 months ago Did profanity work with that server before?
Yes, I've been happily using profanity with that server for months (a year?) now.
Did you recently update openssl?
Yes, I updated openssl about a week ago, but downgrading it doesn't seem to help (and broke a lot of other stuff in my system :D)
I'll get in touch with the server admin.
sjaeckel
commented
7 months ago Yes, I updated openssl about a week ago [...]
One wild guess: I've seen stuff failing because openssl became more strict some time ago, you could try to enable the legacy provider [0] and see if it works then.
[...] downgrading it doesn't seem to help (and broke a lot of other stuff in my system :D)
I didn't ask you to downgrade for exactly that reason :D
I'll get in touch with the server admin.
:+1:
[0] https://bbs.archlinux.org/viewtopic.php?pid=2065783#p2065783
stevemolloy
commented
6 months ago One wild guess: I've seen stuff failing because openssl became more strict some time ago, you could try to enable the legacy provider [0] and see if it works then.
I made that change to openssl.cnf, and it no longer seg faults. This is back with the fully up to date libstrophe (from the pacman repos, not the proposed fix that was suggested by sjaeckel) and openssl.
I still can't log in as I used to, but at least profanity no longer crashes.
[...] downgrading it doesn't seem to help (and broke a lot of other stuff in my system :D)
I didn't ask you to downgrade for exactly that reason :D
Yeah, I acted before thinking. Dumb, but all fixed now :)
I'll get in touch with the server admin.
I sent a ticket to the IT team yesterday, and will keep you up to date with their replies.
Thanks for being so energetic here. It's a dream to have software maintainers be so responsive 👍
sjaeckel
commented
6 months ago I made that change to openssl.cnf, and it no longer seg faults. This is back with the fully up to date libstrophe (from the pacman repos, not the proposed fix that was suggested by sjaeckel) and openssl.
Cool, so we know that it has to do with your XMPP server only allowing weak ciphers.
Can you maybe create another wireshark capture? But this time with libstrophe from the some-fixes branch?
The easiest way to do that IMO is building both libstrophe and profanity from source.
# adapt this to where you want to have this built
export DEVDIR=/home/user/foo/profanity
export SSLKEYLOGFILE=$DEVDIR/sslkeylogfile
mkdir -p $DEVDIR/prefix
pushd $DEVDIR
git clone https://github.com/strophe/libstrophe.git -b some-fixes
git clone https://github.com/profanity-im/profanity.git
pushd libstrophe
./bootstrap.sh
PKG_CONFIG_PATH=$DEVDIR/prefix/lib/pkgconfig ./configure --prefix=$DEVDIR/prefix
make -j$(nproc)
make install
popd
pushd profanity
./bootstrap.sh
PKG_CONFIG_PATH=$DEVDIR/prefix/lib/pkgconfig ./configure --prefix=$DEVDIR/prefix
make -j$(nproc)
./profanity -l DEBUGPlease make sure to either not enter your real password when trying to connect or set up a temporary password, as your server only supports PLAIN authentication and that really means that the password is sent in PLAIN text and will show up in the wireshark capture ;)
Then please send over the wireshark capture and the $DEVDIR/sslkeylogfile so I can inspect the encrypted data of the TLS session.
Thanks for being so energetic here. It's a dream to have software maintainers be so responsive 👍
:)
stevemolloy
commented
6 months ago # adapt this to where you want to have this built export DEVDIR=/home/user/foo/profanity export SSLKEYLOGFILE=$DEVDIR/sslkeylogfile mkdir -p $DEVDIR/prefix pushd $DEVDIR git clone https://github.com/strophe/libstrophe.git -b some-fixes git clone https://github.com/profanity-im/profanity.git pushd libstrophe ./bootstrap.sh PKG_CONFIG_PATH=$DEVDIR/prefix/lib/pkgconfig ./configure --prefix=$DEVDIR/prefix make -j$(nproc) make install popd pushd profanity ./bootstrap.sh PKG_CONFIG_PATH=$DEVDIR/prefix/lib/pkgconfig ./configure --prefix=$DEVDIR/prefix make -j$(nproc) ./profanity -l DEBUG
Trying this, but I get an error when running bootstrap.sh for profanity.
$ ./bootstrap.sh
libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, 'build-aux'.
libtoolize: copying file 'build-aux/ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIRS, 'm4'.
libtoolize: copying file 'm4/libtool.m4'
libtoolize: copying file 'm4/ltoptions.m4'
libtoolize: copying file 'm4/ltsugar.m4'
libtoolize: copying file 'm4/ltversion.m4'
libtoolize: copying file 'm4/lt~obsolete.m4'
libtoolize: Consider adding '-I m4' to ACLOCAL_AMFLAGS in Makefile.am.
configure.ac:78: error: possibly undefined macro: AC_MSG_ERROR
If this token and others are legitimate, please use m4_pattern_allow.
See the Autoconf documentation.
autoreconf: error: /usr/bin/autoconf failed with exit status: 1I'm not familiar with autoconf, and so am not sure how to proceed. Apologies. Can you advise?
jubalh
commented
6 months ago I'm not familiar with autoconf, and so am not sure how to proceed. Apologies. Can you advise?
You are missing autoconf-archive.
stevemolloy
commented
6 months ago Thanks. I've now sent the requested wireshark capture to @sjaeckel
stevemolloy
commented
6 months ago Apologies for the silence, but I'm still waiting on our IT people to get back to me :(
sjaeckel
commented
6 months ago Cool, so we know that it has to do with your XMPP server only allowing weak ciphers.
FTR: this conclusion was wrong. After iterating a bit more we realized that there was an error while enabling the legacy provider which made OpenSSL stop working and the connection attempt stopped already earlier because the TLS part couldn't be initialized. After fixing that configuration error the connection still stopped at the same point after the STARTTLS where the ClientHello is sent.
jubalh
commented
4 months ago @stevemolloy any news?
stevemolloy
commented
4 months ago Sorry for my long silence. IT claims they have only refreshed the certificate, which isn't particularly helpful. Work has been busy recently, so I will try to get back to you with a wireshark capture of a pidgin connection.
I have been a happy profanity user for some time now, but in the last week or so I am unable to use it due to a seg fault after providing the password.
Expected Behavior
Current Behavior
This happens no matter if the password is correct or not.
Log file
Some details removed for privacy reasons.
Environment
I'm using Arch linux, and Profanity was installed using pacman.