Closed Bug 1267410 Opened 7 years ago Closed 7 years ago
XMPP connection problem when using SASL DIGEST-MD5 authentication
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:44.0) Gecko/20100101 Firefox/44.0.3 Waterfox/44.0.3 Build ID: 20160218160818 Steps to reproduce: I'm trying to connect the thunderbird version 45.0 with openfire server via an XMPP account, but generates the error XMPP "Not authorized (You entered the wrong password?)". I'm sure the password, so that the xmpp client SPARK works perfectly. I tested the old version, 38.7.2 and also ran without problems. So I believe it is a bug. Actual results: generates the error XMPP "Not authorized (You entered the wrong password?)". The password is correct. detail error log (attachment) <failure xmlns="urn:ietf:params:xml:ns:xmpp-sasl"> <not-authorized xmlns="urn:ietf:params:xml:ns:xmpp-sasl"/> </failure> Expected results: I waiting connection com server xmpp with success.
Luciano, thanks for filing this bug! Any chance you can get a debug log from 38.7.2 too as well?
Patrick, this log connection OK in Thunderbird_version_38-7-2 with server xmpp (openfire). Thanks, Luciano.
Plaintext version of the second attachment.
Attachment #8745080 - Attachment is obsolete: true
So something changed that caused us to use DIGEST-MD5 instead of PLAIN to connect. I don't know the XMPP code super well, so let's see if someone else has an idea...
(In reply to Patrick Cloke [:clokep] from comment #4) > So something changed that caused us to use DIGEST-MD5 instead of PLAIN to > connect. I don't know the XMPP code super well, so let's see if someone else > has an idea... Yes, that was an intentional change. Looks like there might be a bug in our DIGEST-MD5 though :-( A public xmpp server that supports SASL digest-md5 auth would be useful to try to reproduce this. Anyone know of one?
Just found this RFC that marks SASL DIGEST-MD5 as obsolete: https://tools.ietf.org/html/rfc6331 " While it can be argued that it is an improvement over CRAM-MD5, many implementors commented that the additional complexity of DIGEST-MD5 makes it difficult to implement fully and securely." The only other SASL authmech we support currently in XMPP is PLAIN, which does not provide any security layer.
Component: Instant Messaging → XMPP
Product: Thunderbird → Chat Core
Summary: Error "not-authorized" in Thunderbird 45.0 with server XMPP → XMPP connection problem when using SASL DIGEST-MD5 authentication
Version: 45 Branch → 45
For reference, the server in the debug log advertises PLAIN, SCRAM-SHA-1, CRAM-MD5, DIGEST-MD5. The XMPP wiki also suggests: "At the time of this writing this tutorial is more than ten years old. Don't implement this anymore. DIGEST-MD5 has been declared obsolete by the IETF. Please consider implementing SCRAM instead." http://wiki.xmpp.org/web/SASLandDIGEST-MD5 So my suggestion would be that we should do this in any case.
Meanwhile, should we back out bug 1193494 for the next 45 point release?
Further info on DIGEST-MD5: "Those of you who ever tried to actually implement the DIGEST-MD5 SASL mechanism for authentication know that it suffers from quite a few problems, including but not limited to a variety of different implementations with a variable level of compliance to the DIGEST-MD5 RFC 2831. These interoperability problems make it quite hard to get a new implementation working with most of the already existing implementations." http://ayena.de/blog/scram-digest-md5/
(In reply to aleth [:aleth] from comment #8) > Meanwhile, should we back out bug 1193494 for the next 45 point release? After looking at that patch again, since PLAIN was only used with encrypted connections even before the patch, it's safe to back out and I did so in the hope of making 45.1.
(In reply to aleth [:aleth] from comment #10) > (In reply to aleth [:aleth] from comment #8) > > Meanwhile, should we back out bug 1193494 for the next 45 point release? > After looking at that patch again, since PLAIN was only used with encrypted > connections even before the patch, it's safe to back out and I did so in the > hope of making 45.1. That makes sense then. Is there anything we should do or can we close this due to the backout?
(In reply to Patrick Cloke [:clokep] from comment #11) > That makes sense then. Is there anything we should do or can we close this > due to the backout? Filed Bug 1267649 to provide an alternative to the obsoleted DIGEST-MD5.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → Instantbird 49
For TB 45, this was backed out in bug 1268081.
According to previous comments here, we are about to land SASL SCRAM authentication mechanism (bug 1267649). Luciano, could you provide us with a public XMPP server(Openfire) to make sure that mechanism is working with it or test the patch there? Thanks.
Ok Abelrhman Ahmed, after updated Thunderbird, I can usually connect to my XMPP server. Can close the bug / ticket # 1267410. The only question, which may be user error, is that I have difficulties to write / answer messages I receive. Just read but can not write, or start a new conversation... I have no XMPP server public, just use our in local / private network. Thank you so much, Luciano
You need to log in before you can comment on or make changes to this bug.