Tigase Forge
Dashboards
Projects
Global Views
Code Search
server-core
Code
Pull Requests
Issues
List
Boards
Iterations
Builds
Packages
Statistics
Child Projects
OneDev 11.9.3
Documentation Support & Bug Report RESTful API Incompatibilities License Agreement Check Update
Projects tigase _server server-core Issues #1099
NPE in sasl-external (#1099)
Wojciech Kapcia (Tigase) opened 5 years ago
Due Date
2020-01-17
 
[2020-01-11 06:16:29:086] [FINEST  ] [      pool-38-thread-7 ] XMPPIOService.processSocketData(): CID: null, null, type: accept, Socket: TLS: nullSocket[addr=/217.77.56.242,port=60931,localport=5269], jid: null, READ:[auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='EXTERNAL']amFiYmVyLnNhbXBvLnJ1[/auth]
…
[2020-01-11 06:16:29:098] [FINEST  ] [      pool-38-thread-7 ] XMPPIOService.moveParsedPacketsToReceived(): CID: null, null, type: accept, Socket: TLS: nullSocket[addr=/217.77.56.242,port=60931,localport=5269], jid: null, Read packet: [auth mechanism="EXTERNAL" xmlns="urn:ietf:params:xml:ns:xmpp-sasl"]amFiYmVyLnNhbXBvLnJ1[/auth]
…
[2020-01-11 06:16:29:098] [FINEST  ] [      pool-38-thread-7 ] SaslExternal.process()           : CID: null, null, type: accept, Socket: TLS: nullSocket[addr=/217.77.56.242,port=60931,localport=5269], jid: null, Received auth request: from=null, to=null, DATA=[auth mechanism="EXTERNAL" xmlns="urn:ietf:params:xml:ns:xmpp-sasl"]amFiYmVyLnNhbXBvLnJ1[/auth], SIZE=95, XMLNS=urn:ietf:params:xml:ns:xmpp-sasl, PRIORITY=NORMAL, PERMISSION=NONE, TYPE=null
…
[2020-01-11 06:16:29:098] [WARNING ] [      pool-38-thread-7 ] SaslExternal.process()           : Error.
java.lang.NullPointerException
	at tigase.server.xmppserver.proc.SaslExternal.processAuth(SaslExternal.java:206)
	at tigase.server.xmppserver.proc.SaslExternal.process(SaslExternal.java:122)
	at tigase.server.xmppserver.S2SConnectionManager.processSocketData(S2SConnectionManager.java:283)
	at tigase.server.xmppserver.S2SConnectionManager.processSocketData(S2SConnectionManager.java:50)
	at tigase.server.ConnectionManager.packetsReady(ConnectionManager.java:347)
	at tigase.server.ConnectionManager.packetsReady(ConnectionManager.java:61)
	at tigase.net.IOService.call(IOService.java:197)
	at tigase.xmpp.XMPPIOService.call(XMPPIOService.java:146)
	at tigase.xmpp.XMPPIOService.call(XMPPIOService.java:51)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
	at java.base/java.lang.Thread.run(Thread.java:835)
  • Wojciech Kapcia (Tigase) commented 5 years ago

    I backtracked it from different connection:

    [2020-01-13 04:46:26:185] [FINEST  ] [  ConnectionOpenThread ] S2SConnectionManager.serviceStarted(): s2s connection opened: CID: null, null, type: accept, Socket: nullSocket[addr=/217.77.56.242,port=51671,localport=5269], jid: null
…
[2020-01-13 04:46:27:922] [FINEST  ] [      pool-38-thread-3 ] XMPPIOService.processSocketData(): CID: null, null, type: accept, Socket: nullSocket[addr=/217.77.56.242,port=51671,localport=5269], jid: null, READ:<?xml version='1.0'?><stream:stream xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:server' xmlns:db='jabber:server:dialback' to='tigase.net' version='1.0'>
…
[2020-01-13 04:46:27:927] [FINER   ] [      pool-38-thread-3 ] S2SConnectionManager.xmppStreamOpened(): CID: null, null, type: accept, Socket: nullSocket[addr=/217.77.56.242,port=51671,localport=5269], jid: null, Stream opened: {xmlns:stream=http://etherx.jabber.org/streams, xmlns=jabber:server, to=tigase.net, version=1.0, xmlns:db=jabber:server:dialback}

    Basically, the other party never sends from and chooses to use sasl-external (which is just plain wrong... and can't work under no circumstances as we can't verify the certificate against the).

    I fixed the problem by:

    Server2 advertises SASL mechanisms. If the 'from' attribute of the stream header sent by Server1 can be matched against one of the identifiers provided in the certificate following the matching rules from RFC 6125, Server2 SHOULD advertise the SASL EXTERNAL mechanism. If no match is found, Server2 MAY either close Server1's TCP connection or continue with a Server Dialback (XEP-0220) [8] negotiation.

    While working on this issue I also ran into other problem - even after authenticating the connection we were still advertising SASL-EXTERNAL and some servers (M-Link on jabber.org) were falling into authentication loop.

    I think it's finally working quite well.

  • Wojciech Kapcia (Tigase) commented 5 years ago

    If anyone ( @kobit , @andrzej.wojcik , @bmalkow ) still experience problems with s2s to other servers please do let me know which domains.

issue 1 of 1
Type
Task
Priority
Normal
Assignee
Wojciech Kapcia (Tigase)
Spent time
0
Issue Votes (0)
Login to vote
Watchers (0)
Reference
tigase/_server/server-core#1099
Please wait...
Page is in error, reload to recover