Projects tigase _server server-core Issues #1099
NPE in sasl-external (#1099)
wojciech.kapcia@tigase.net opened 5 years ago
Due Date
2020-01-17
[2020-01-11 06:16:29:086] [FINEST  ] [      pool-38-thread-7 ] XMPPIOService.processSocketData(): CID: null, null, type: accept, Socket: TLS: nullSocket[addr=/217.77.56.242,port=60931,localport=5269], jid: null, READ:[auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='EXTERNAL']amFiYmVyLnNhbXBvLnJ1[/auth]
…
[2020-01-11 06:16:29:098] [FINEST  ] [      pool-38-thread-7 ] XMPPIOService.moveParsedPacketsToReceived(): CID: null, null, type: accept, Socket: TLS: nullSocket[addr=/217.77.56.242,port=60931,localport=5269], jid: null, Read packet: [auth mechanism="EXTERNAL" xmlns="urn:ietf:params:xml:ns:xmpp-sasl"]amFiYmVyLnNhbXBvLnJ1[/auth]
…
[2020-01-11 06:16:29:098] [FINEST  ] [      pool-38-thread-7 ] SaslExternal.process()           : CID: null, null, type: accept, Socket: TLS: nullSocket[addr=/217.77.56.242,port=60931,localport=5269], jid: null, Received auth request: from=null, to=null, DATA=[auth mechanism="EXTERNAL" xmlns="urn:ietf:params:xml:ns:xmpp-sasl"]amFiYmVyLnNhbXBvLnJ1[/auth], SIZE=95, XMLNS=urn:ietf:params:xml:ns:xmpp-sasl, PRIORITY=NORMAL, PERMISSION=NONE, TYPE=null
…
[2020-01-11 06:16:29:098] [WARNING ] [      pool-38-thread-7 ] SaslExternal.process()           : Error.
java.lang.NullPointerException
	at tigase.server.xmppserver.proc.SaslExternal.processAuth(SaslExternal.java:206)
	at tigase.server.xmppserver.proc.SaslExternal.process(SaslExternal.java:122)
	at tigase.server.xmppserver.S2SConnectionManager.processSocketData(S2SConnectionManager.java:283)
	at tigase.server.xmppserver.S2SConnectionManager.processSocketData(S2SConnectionManager.java:50)
	at tigase.server.ConnectionManager.packetsReady(ConnectionManager.java:347)
	at tigase.server.ConnectionManager.packetsReady(ConnectionManager.java:61)
	at tigase.net.IOService.call(IOService.java:197)
	at tigase.xmpp.XMPPIOService.call(XMPPIOService.java:146)
	at tigase.xmpp.XMPPIOService.call(XMPPIOService.java:51)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:835)
wojciech.kapcia@tigase.net commented 5 years ago

I backtracked it from different connection:

[2020-01-13 04:46:26:185] [FINEST  ] [  ConnectionOpenThread ] S2SConnectionManager.serviceStarted(): s2s connection opened: CID: null, null, type: accept, Socket: nullSocket[addr=/217.77.56.242,port=51671,localport=5269], jid: null
…
[2020-01-13 04:46:27:922] [FINEST  ] [      pool-38-thread-3 ] XMPPIOService.processSocketData(): CID: null, null, type: accept, Socket: nullSocket[addr=/217.77.56.242,port=51671,localport=5269], jid: null, READ:<?xml version='1.0'?><stream:stream xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:server' xmlns:db='jabber:server:dialback' to='tigase.net' version='1.0'>
…
[2020-01-13 04:46:27:927] [FINER   ] [      pool-38-thread-3 ] S2SConnectionManager.xmppStreamOpened(): CID: null, null, type: accept, Socket: nullSocket[addr=/217.77.56.242,port=51671,localport=5269], jid: null, Stream opened: {xmlns:stream=http://etherx.jabber.org/streams, xmlns=jabber:server, to=tigase.net, version=1.0, xmlns:db=jabber:server:dialback}

Basically, the other party never sends from and chooses to use sasl-external (which is just plain wrong... and can't work under no circumstances as we can't verify the certificate against the).

I fixed the problem by:

Server2 advertises SASL mechanisms. If the 'from' attribute of the stream header sent by Server1 can be matched against one of the identifiers provided in the certificate following the matching rules from RFC 6125, Server2 SHOULD advertise the SASL EXTERNAL mechanism. If no match is found, Server2 MAY either close Server1's TCP connection or continue with a Server Dialback (XEP-0220) [8] negotiation.

While working on this issue I also ran into other problem - even after authenticating the connection we were still advertising SASL-EXTERNAL and some servers (M-Link on jabber.org) were falling into authentication loop.

I think it's finally working quite well.

wojciech.kapcia@tigase.net commented 5 years ago

If anyone ( @kobit , @andrzej.wojcik , @bmalkow ) still experience problems with s2s to other servers please do let me know which domains.

Referenced from commit 1 year ago
Issue #1099 - see-other-host redirection on USER_LOGIN command
fix xmlns and type for BOSH stream:error
add new configuration option for see-other-host: (c2s|bosh|ws2c)/cm-see-other-host/active=(OPEN|LOGIN|OTHER) denoting in which phase redirects should be active with default value set to OPEN
Wojciech Kapcia committed 1 decade ago
issue 1 of 1
Type
Task
Priority
Normal
Assignee
Spent time
6h 15m
Issue Votes (0)
Watchers (0)
Reference
tigase/_server/server-core#1099
Please wait...
Page is in error, reload to recover