Projects tigase _server server-core Issues #1143
S2S connectivity issue with OpenFire when SASL external is used (#1143)
Andrzej Wójcik (Tigase) opened 5 years ago

It is not possible to establish XMPP S2S connection between tigase.org and igniterealtime.org.

Andrzej Wójcik (Tigase) commented 5 years ago

Initial analysis lead me to the point when Tigase closes connection upon receiving

<challenge xmlns="urn:ietf:params:xml:ns:xmpp-sasl">=</challenge>

on sent

<auth mechanism="EXTERNAL" xmlns="urn:ietf:params:xml:ns:xmpp-sasl">=</auth>

From that, it was obvious that Tigase was not expecting <challenge/> element as it is "not used" in SASL external. As I've looked into OpenFire code, I've found out that <challenge/> is sent only when SASL external <auth/> element cdata does not match Base64 encoded domain of the sender of <auth/> request. From what I've found out in XEP-0178 and RFC related to XMPP, <auth/> stanza should only be sent with no data (=) when we are authenticating C2S connection and for S2S connection, it should always be Base64 encoded domain of the sender.

I've modified Tigase to send <auth/> element with proper cdata and left Tigase code for handling incoming <auth/> requests unchanged as Tigase verifies SSL certificate against sender domain, so not checking content of <auth/> element will do no harm (will not authenticate anything which should not be authenticated) but will maintain compatibility with older versions of Tigase which had this issue in the S2S code.

wojciech.kapcia@tigase.net commented 5 years ago

As we discussed in chat, specification may change:

"however a future version of this specification might disallow use of the authorization identity in server-to-server authentication"

And it was decided to add sending identity based on parameter (so in the future it would be possible to disable it without having to update Tigase):

@ConfigField(desc = "Enable compatibility with legacy servers", alias = "legacy-compat")
private boolean legacyCompat = true;
issue 1 of 1
Type
Bug
Priority
Normal
Assignee
Version
tigase-server-8.1.0
Spent time
3h
Issue Votes (0)
Watchers (0)
Reference
tigase/_server/server-core#1143
Please wait...
Page is in error, reload to recover