Project

General

Profile

--hardened-mode causing problems [solved]

Simon Tennant
Added almost 5 years ago

We were unable to get c2s connections working when using --hardened-mode.

removing XMPPServer.isHardenedModeEnabled() on line 885 in VHostItem.java

We think that Tigase thinks that the session is not encrypted since DefaultMechanismSelector.java is not matching any SASL mechanism.

This is also after using the latest java from Oracle and the security tweak. No matter what we used, we'd never receive any valid SASL mechanisms.

Obviously this is not ideal. We'd really like to be able to use TLS on 5222.

(server is si.buddycloud.com / domain is alps.buddycloud,com)


Replies (18)

Avatar?id=6023&size=32x32

Added by Artur Hefczyc TigaseTeam almost 5 years ago

Hi,

Thank you for reporting this. We will look at it and get back to you as soon as possible.

Added by Steffen Larsen almost 5 years ago

Hi Simon,

Sorry for interrupting, but were your problem not only for components connecting to your server?

So having an external component like yours: --external = channels.buddycloud.net:tellnoone:listen:5270,media.buddycloud.net:tellnoone

breaks, but normal clients connecting to your server works?

Because my new 5.2.0RC2 server works fine with --hardend-mode with "normal" c2s connection. Also my mud and REST components works.

-Cheers!

/Steffen

Added by Abmar Barros almost 5 years ago

Hi Steffen,

thanks for your input here :)

Components are connecting fine. The problem indeed happens with c2s connections.

The strange thing about this is that I run a hardened tigase instance inside my local machine with same configuration and everything runs smoothly.

And yeah, I'm running the 5.2.0RC2 version too.

Cheers!

abmargb

Added by Steffen Larsen almost 5 years ago

Hi Abmar! :-)

No problem just trying to help out.

My conf. looks quite like your except for a lot of the sm-plugins. ;-)

So either its in your wildcard certificate or the sm-plugin that confuses the client. Or it might be that the docker instance is doing something funny. I would personally try to take the exact same conf. and deploy it on a normal (non-virtual) machine first and see it that works.

It could be some port that is bloked by the vm or other stuff.. can you the the client is trying to connect to the server? have you tried to do nc etc. ?

If it still does not work, try to cut down on some of the sm-plugins. haha ;-)

-Cheers and good luck. you are more than welcome to add me to your roster.

/Steffen

Avatar?id=6098&size=32x32

Added by Bartosz Malkowski TigaseTeam almost 5 years ago

Problem with incorrectly selecting SASL mechanisms is fixed already. Tigase 5.2.0 RC2 contains the fix.

Added by Steffen Larsen almost 5 years ago

Without being 100% sure, I am convinced that Simons team is running on the latest and greatest Tigaserelease (5.2.0RC2).

/Steffen

Avatar?id=6098&size=32x32

Added by Bartosz Malkowski TigaseTeam almost 5 years ago

Simon!

Please check what exactly version you have.

Please tell me what protocol you use to connect to server (bosh/socket).

Please tell me what exactly server sends in stream features.

Added by Abmar Barros almost 5 years ago

Hi Bartosz, thanks for your reply.

We're running the latest 5.2.0RC2.

We're using sockets.

That's what we get from the server:

<stream:features xmlns:stream="http://etherx.jabber.org/streams">
  <ver xmlns="urn:xmpp:features:rosterver"/>
  <mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"/>
  <register xmlns="http://jabber.org/features/iq-register"/>
</stream:features>

And Steffen, thanks again. It's not a connectivity issue, since I can connect to it when it's not hardened. I'm trying to tweak the plugins around to see any changes ;)

Cheers

Avatar?id=6098&size=32x32

Added by Bartosz Malkowski TigaseTeam almost 5 years ago

I understand, that session is encrypted alredy?

Added by Abmar Barros almost 5 years ago

That's the whole negotiation process:

send: 
<stream:stream xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" version="1.0" to="alps.buddycloud.com">

receive: 
<stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' from='alps.buddycloud.com' id='c93b902d-0151-4bfe-a093-7582333bdec0' version='1.0' xml:lang='en'>

receive: 
<stream:features>
  <ver xmlns="urn:xmpp:features:rosterver"/>
  <mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"/>
  <register xmlns="http://jabber.org/features/iq-register"/>
</stream:features>

So I suppose the server should be advertising the TLS stream feature?

Btw, I'm using node-xmpp, so it should be trying to upgrade to TLS by default.

Thanks!

Avatar?id=6098&size=32x32

Added by Bartosz Malkowski TigaseTeam almost 5 years ago

SASL mechanisms are empty because hardened-mode forbids to login on unencrypted session.

I think we also should remove iq-register from unencrypted session.

The question is: why there is no StartTLS?

Added by Steffen Larsen almost 5 years ago

Maybe because of the --starttls option in the sm-plugin (init-properties)?

/Steffen

Added by Abmar Barros almost 5 years ago

You got it Steffen!

The starttls plugin was deactivated. Dumb me :(

Thanks for everyone's time.

Added by Steffen Larsen almost 5 years ago

Super Abmar!

I told you to review those sm-plugin options.. I have the same problem. Some times I just add a lot of options and forget about them. But they are affecting stuff. :-)

-Cheers!

/Steffen

Added by Abmar Barros almost 5 years ago

I've checked it twice at least. That might have been the dev bias :) 4 eyes work better, I suppose.

Cheers!

Added by Steffen Larsen almost 5 years ago

I know the problem. to stare and stare at stuff not seeing the obvious. :-)

But cool that it solved your problem.

-Cheers!

/Steffen

    (1-18/18)