Projects tigase _server server-core Issues #1111
Can't establish s2s to upload.pouet.ovh (#1111)
Closed
wojciech.kapcia@tigase.net opened 5 years ago

Certificate check result is false, even though SASL EXTERNAL is successful:

[2020-02-03 15:34:04:466] [WARNING ] [  ConnectionOpenThread ] SocketThread.<clinit>()          : 33 socketReadThreads started.
[2020-02-03 15:34:04:475] [WARNING ] [  ConnectionOpenThread ] SocketThread.<clinit>()          : 33 socketWriteThreads started.
[2020-02-03 15:34:04:714] [INFO    ] [       pool-5-thread-1 ] S2SConnManAbstractTest$S2SConnectionHandlerImpl.lambda$processSocketData$0(): Received packet: from=null, to=null, DATA=<features xmlns="http://etherx.jabber.org/streams"><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"/><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/><dialback xmlns="urn:xmpp:features:dialback"><errors/></dialback></features>, SIZE=232, XMLNS=http://etherx.jabber.org/streams, PRIORITY=NORMAL, PERMISSION=NONE, TYPE=null
[2020-02-03 15:34:04:999] [INFO    ] [       pool-5-thread-2 ] S2SConnManAbstractTest$S2SConnectionHandlerImpl.lambda$processSocketData$0(): Received packet: from=null, to=null, DATA=<proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>, SIZE=50, XMLNS=urn:ietf:params:xml:ns:xmpp-tls, PRIORITY=NORMAL, PERMISSION=NONE, TYPE=null
[2020-02-03 15:34:05:005] [INFO    ] [       pool-5-thread-2 ] SSLContextContainer.getHardenedMode(): Using hardened-mode: secure for domain: tigase.im
[2020-02-03 15:34:05:006] [INFO    ] [       pool-5-thread-2 ] SSLContextContainer.getHardenedMode(): Using hardened-mode: secure for domain: tigase.im
[2020-02-03 15:34:06:434] [INFO    ] [       pool-5-thread-6 ] S2SConnManAbstractTest$S2SConnectionHandlerImpl.lambda$processSocketData$0(): Received packet: from=null, to=null, DATA=<features xmlns="http://etherx.jabber.org/streams"><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>EXTERNAL</mechanism></mechanisms><dialback xmlns="urn:xmpp:features:dialback"><errors/></dialback></features>, SIZE=224, XMLNS=http://etherx.jabber.org/streams, PRIORITY=NORMAL, PERMISSION=NONE, TYPE=null
[2020-02-03 15:34:06:692] [INFO    ] [       pool-5-thread-7 ] S2SConnManAbstractTest$S2SConnectionHandlerImpl.lambda$processSocketData$0(): Received packet: from=null, to=null, DATA=<success xmlns="urn:ietf:params:xml:ns:xmpp-sasl"/>, SIZE=51, XMLNS=urn:ietf:params:xml:ns:xmpp-sasl, PRIORITY=NORMAL, PERMISSION=NONE, TYPE=null
[2020-02-03 15:34:06:946] [INFO    ] [       pool-5-thread-8 ] S2SConnManAbstractTest$S2SConnectionHandlerImpl.lambda$processSocketData$0(): Received packet: from=null, to=null, DATA=<features xmlns="http://etherx.jabber.org/streams"><c xmlns="http://jabber.org/protocol/caps" ver="WizMZkeB8Y/u9gndbsnZpeXXLvY=" hash="sha-1" node="http://www.process-one.net/en/ejabberd/"/><dialback xmlns="urn:xmpp:features:dialback"><errors/></dialback></features>, SIZE=266, XMLNS=http://etherx.jabber.org/streams, PRIORITY=NORMAL, PERMISSION=NONE, TYPE=null
[2020-02-03 15:34:12:031] [INFO    ] [                  main ] S2SConnManAbstractTest.testConnectionForCID(): tigase.im@upload.pouet.ovh: isConnected(): true
[2020-02-03 15:34:12:032] [INFO    ] [                  main ] S2SConnManAbstractTest.testConnectionForCID(): tigase.im@upload.pouet.ovh: isAuthenticated(): true
[2020-02-03 15:34:12:032] [INFO    ] [                  main ] S2SConnManAbstractTest.testConnectionForCID(): tigase.im@upload.pouet.ovh: getSessionData().get(CERT_CHECK_RESULT): invalid

upload.pouet.ovh has correct certificate:

wojtek@atlantiscity.local ~/ $ openssl s_client -connect pouet.ovh:5269 -xmpphost upload.pouet.ovh < /dev/null -starttls xmpp-server | openssl x509 -noout -dates
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = pouet.ovh
verify return:1
DONE
notBefore=Mar 10 20:52:04 2020 GMT
notAfter=Jun  8 20:52:04 2020 GMT
wojciech.kapcia@tigase.net commented 5 years ago

While certificate is correct, it doesn't match domain hence it's marked as invalid. We shouldn't even start trying to establish SASL-EXTERNAL in this case as the return connection will surely fail.

wojciech.kapcia@tigase.net commented 5 years ago

I was pondering it a little bit more and I think that with #issue #1112 and #issue #1132 we could actually stick with && with the assumption that it would still be possible to establish and authenticate connection in one way using SASL-EXTERNAL and other way around using dialback.

Without those two tickets sasl-external should not be advertised.

issue 1 of 1
Type
Bug
Priority
Normal
Assignee
Version
tigase-server-8.1.0, tigase-server-8.0.1
Spent time
1h 30m
Issue Votes (0)
Watchers (0)
Reference
tigase/_server/server-core#1111
Please wait...
Page is in error, reload to recover