Closed CalmTechie closed 6 months ago
I was only on mobile before and overlooked the error reason <malformed-request/><text>Proposed channel binding type isn't supported.</text>
.
What we know from the logs:
SCRAM-SHA-1-PLUS
and SCRAM-SHA-1
SCRAM-SHA-1-PLUS
first and sends an auth stanza with content is as follows:
$ echo cD10bHMtZXhwb3J0ZXIsLG49ZGVhY29uLHI9NzUzQTc2QkJBNkRGNkZDRkIyOTM5ODJCRkNCMTEwRjA= | base64 -d
p=tls-exporter,,n=deacon,r=753A76BBA6DF6FCFB293982BFCB110F0
The first value is either
n
when the client doesn't support channel binding,
y
when the client supports channel binding but the server didn't announce it,
or p=<channel binding type>
.
TLS up to 1.2 only supports channel binding type 'tls-unique'
TLS from 1.3 on only supports channel binding type 'tls-exporter'
* the TLS connection seems to be TLS 1.3 (indicated by the `tls-exporter` inside the `auth` stanza)
* The server cancels the connection request with the error reason `<malformed-request/><text>Proposed channel binding type isn't supported.</text>`.
* libstrophe falls back to `SCRAM-SHA-1` as expected and sends
$ echo eSwsbj1kZWFjb24scj1EREJFQzdERkIzOUY0NTNBNUQxNENERTJENkZDQTZFOA== | base64 -d y,,n=deacon,r=DDBEC7DFB39F453A5D14CDE2D6FCA6E8
* The server cancels the auth request now without reason, but with a plain `<malformed-request/>`
To me this currently looks more like a misbehaving server announcing support for `SCRAM` even though it's not supported for some reason.
Can you please capture the connection attempt with wireshark and check if it's really TLS 1.3?
Do you have server logs indicating what goes wrong?
Here's server debug logs. It seems that tls 1.3 is in use.
https://dormant.observer/-Xar8pqpuYp
UPD: checked traffic with wireshark: use of tls 1.3 confirmed.
UPD2: tried other clients, like dino or yaxim - auth succedes, with TLS 1.3 as well. Example log: https://dormant.observer/-mbfqZgDzDc
Hmm, server debug logs are not really useful here. It only looks like in the successful example the PLUS
variant was not used.
Can you provide debug logs from dino and yaxim?
Can I somehow test against your server? Can you maybe provide your config?
Can't find how to debug yaxim (server logs tells that it uses plain auth mechanism).
Dino's log quite verbose. Here's raw debug log file:
https://dormant.observer/-TcNcSgeqHx
Regarding server configuration: what do you exactly need? Prosody config file is more or less default. Here it is:
https://dormant.observer/-K49g7nckdA
conf.d doesn't contain any additional tweaks.
Which version of prosody are you running? Is it really 0.11.2 as reported when querying the server version? If yes, can you please update to latest stable and try again?
All the other clients that succeed in your tests don't use and/or support SCRAM-*-PLUS and AFAIK @mdosch runs latest prosody and uses SCRAM-*-PLUS successfully with libstrophe/profanity.
Yep, works with prosody trunk on my server:
2024-03-20T18:08:48.874351+01: xmpp: DBG: handle SCRAM-SHA-1-PLUS (challenge) called for challenge 2024-03-20T18:08:48.927806+01: xmpp: DBG: handle SCRAM-SHA-1-PLUS (challenge) called for success 2024-03-20T18:08:48.927825+01: xmpp: DBG: SASL SCRAM-SHA-1-PLUS auth successful
Can not currently install modern version of prosody. Let's presume it's server malfunction. Thank you for you help.
Feel free to reopen once you could update prosody and this persists.
FYI Currently there's no work around for profanity, besides using an older version of libstrophe.
Initial issue: https://github.com/profanity-im/profanity/issues/1960
At the instance of @sjaeckel (https://github.com/profanity-im/profanity/issues/1960#issuecomment-1999378613), I transfer the issue hither.
Summary:
Logging in to the selfhosted prosody server using profanity (which utilizes libstrophe) causes error. Profanity logs: https://dormant.observer/-W5N6VNrwES
Tried both 0.13.0 and 0.13.1 lib versions.