XMPP connection problem when using SASL DIGEST-MD5 authentication

RESOLVED FIXED in Instantbird 49

Status

defect
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: lboni2, Unassigned, NeedInfo)

Tracking

({regression})

Instantbird 49
x86_64
Windows 7
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments, 1 obsolete attachment)

Reporter

Description

3 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:44.0) Gecko/20100101 Firefox/44.0.3 Waterfox/44.0.3
Build ID: 20160218160818

Steps to reproduce:

I'm trying to connect the thunderbird version 45.0 with openfire server via an XMPP account, but generates the error XMPP "Not authorized (You entered the wrong password?)". I'm sure the password, so that the xmpp client SPARK works perfectly. I tested the old version, 38.7.2 and also ran without problems. So I believe it is a bug.


Actual results:

generates the error XMPP "Not authorized (You entered the wrong password?)". The password is correct. detail error log (attachment) 

<failure xmlns="urn:ietf:params:xml:ns:xmpp-sasl">
<not-authorized xmlns="urn:ietf:params:xml:ns:xmpp-sasl"/>
</failure>
 


Expected results:

I waiting connection com server xmpp with success.
Luciano, thanks for filing this bug! Any chance you can get a debug log from 38.7.2 too as well?
Reporter

Updated

3 years ago
OS: Unspecified → Windows 7
Hardware: Unspecified → x86_64
Reporter

Comment 2

3 years ago
Patrick, this log connection OK in Thunderbird_version_38-7-2 with server xmpp (openfire). Thanks, Luciano.
Plaintext version of the second attachment.
Attachment #8745080 - Attachment is obsolete: true
So something changed that caused us to use DIGEST-MD5 instead of PLAIN to connect. I don't know the XMPP code super well, so let's see if someone else has an idea...
Flags: needinfo?(aleth)
Flags: needinfo?(ab)

Comment 5

3 years ago
(In reply to Patrick Cloke [:clokep] from comment #4)
> So something changed that caused us to use DIGEST-MD5 instead of PLAIN to
> connect. I don't know the XMPP code super well, so let's see if someone else
> has an idea...

Yes, that was an intentional change. Looks like there might be a bug in our DIGEST-MD5 though :-(

A public xmpp server that supports SASL digest-md5 auth would be useful to try to reproduce this. Anyone know of one?
Flags: needinfo?(aleth)

Comment 6

3 years ago
Just found this RFC that marks SASL DIGEST-MD5 as obsolete: https://tools.ietf.org/html/rfc6331
"  While it can be argued that it is an improvement over CRAM-MD5, many
   implementors commented that the additional complexity of DIGEST-MD5
   makes it difficult to implement fully and securely."

The only other SASL authmech we support currently in XMPP is PLAIN, which does not provide any security layer.

Updated

3 years ago
Component: Instant Messaging → XMPP
Product: Thunderbird → Chat Core
Summary: Error "not-authorized" in Thunderbird 45.0 with server XMPP → XMPP connection problem when using SASL DIGEST-MD5 authentication
Version: 45 Branch → 45

Comment 7

3 years ago
For reference, the server in the debug log advertises PLAIN, SCRAM-SHA-1, CRAM-MD5, DIGEST-MD5.

The XMPP wiki also suggests: "At the time of this writing this tutorial is more than ten years old. Don't implement this anymore. DIGEST-MD5 has been declared obsolete by the IETF. Please consider implementing SCRAM instead." http://wiki.xmpp.org/web/SASLandDIGEST-MD5

So my suggestion would be that we should do this in any case.

Updated

3 years ago
Blocks: 1193494
Keywords: regression

Comment 8

3 years ago
Meanwhile, should we back out bug 1193494 for the next 45 point release?
Flags: needinfo?(clokep)

Comment 9

3 years ago
Further info on DIGEST-MD5:
"Those of you who ever tried to actually implement the DIGEST-MD5 SASL mechanism for authentication know that it suffers from quite a few problems, including but not limited to a variety of different implementations with a variable level of compliance to the DIGEST-MD5 RFC 2831. These interoperability problems make it quite hard to get a new implementation working with most of the already existing implementations." 
http://ayena.de/blog/scram-digest-md5/

Comment 10

3 years ago
(In reply to aleth [:aleth] from comment #8)
> Meanwhile, should we back out bug 1193494 for the next 45 point release?
After looking at that patch again, since PLAIN was only used with encrypted connections even before the patch, it's safe to back out and I did so in the hope of making 45.1.
(In reply to aleth [:aleth] from comment #10)
> (In reply to aleth [:aleth] from comment #8)
> > Meanwhile, should we back out bug 1193494 for the next 45 point release?
> After looking at that patch again, since PLAIN was only used with encrypted
> connections even before the patch, it's safe to back out and I did so in the
> hope of making 45.1.

That makes sense then. Is there anything we should do or can we close this due to the backout?
Flags: needinfo?(clokep)

Comment 12

3 years ago
(In reply to Patrick Cloke [:clokep] from comment #11)
> That makes sense then. Is there anything we should do or can we close this
> due to the backout?

Filed Bug 1267649 to provide an alternative to the obsoleted DIGEST-MD5.
Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Flags: needinfo?(ab)
Resolution: --- → FIXED
Target Milestone: --- → Instantbird 49

Updated

3 years ago
Blocks: 1268081
For TB 45, this was backed out in bug 1268081.
According to previous comments here, we are about to land SASL SCRAM authentication mechanism (bug 1267649).

Luciano, could you provide us with a public XMPP server(Openfire) to make sure that mechanism is working with it or test the patch there?
Thanks.
Flags: needinfo?(lboni2)
Reporter

Comment 15

3 years ago
Ok Abelrhman Ahmed, after updated Thunderbird, I can usually connect to my XMPP server. Can close the bug / ticket # 1267410.

The only question, which may be user error, is that I have difficulties to write / answer messages I receive. Just read but can not write, or start a new conversation...

I have no XMPP server public, just use our in local / private network.

Thank you so much,
Luciano
You need to log in before you can comment on or make changes to this bug.