Project

General

Profile

use psi to test tigase-server in mac. after tip "Starting TLS for connection", this is a error show "Authentication timeout expired".

steven cai
Added about 3 years ago

use psi to test tigase-server-7.0.2 in mac. after tip "Starting TLS for connection" sometime, this is a error show "Authentication timeout expired".

use wireshark, can catch two package:

then, timeout.

i guess in mac, the starttls will be error.

could someone help me?


Replies (6)

Added by Andrzej Wójcik IoT 1 CloudTigaseTeam about 3 years ago

You mentioned you use Psi to test Tigase XMPP Server vesion 7.0.2 under Mac. Could you tell us which version of Psi do you use?

I'm asking about Psi version as latest version of Psi release as final build is from 2012, which I would say is quite old. This old version used old version of OpenSSL library which is having issue with working with Tigase XMPP Server due to changes in SSL/TLS implementation done in Java to support newer specifications of TLS. To handle this we introduces tls-jdk-nss-bug-workaround-active property which set to true enabled compatibility mode. However as it is not very secure solution I would not recomend to use this setting and suggest to use other XMPP client (ie. client which contains newer version that from 2012).

As far as I remember Psi+ project (fork of Psi) was able to connect to Tigase XMPP Server without any issues.

Added by steven cai about 3 years ago

Thank you for your reply.

After using two solutions, the problem still exists:

  1. change the xmpp client (Psi+ project (v0.16.455 20150513)).

  2. modify the init-mysql-properties to support tls-jdk-nss-bug-workaround-active property.

I put the tigase-log file to annex. the time that the problem happened is 2015-12-16 11:01:26.644.

In addition, I test my openssl in console. I found my mac was not support the -ssl3. Is it the main reason.

➜  openssl-1.0.2e  openssl s_client -debug -showcerts -connect caiyingyuandeiMac.local:5223
CONNECTED(00000003)
write to 0x7f86724288d0 [0x7f8672812c00] (317 bytes => 317 (0x13D))
0000 - 16 03 01 01 38 01 00 01-34 03 03 6a f9 29 65 1b   ....8...4..j.)e.
0010 - 4a 76 17 ea 79 48 cb a0-ab 38 34 1d 5d 77 be 74   Jv..yH...84.]w.t
0020 - b2 48 eb 6f 11 c0 e2 10-c1 1e 02 00 00 b6 c0 30   .H.o...........0
0030 - c0 2c c0 28 c0 24 c0 14-c0 0a 00 a5 00 a3 00 a1   .,.(.$..........
0040 - 00 9f 00 6b 00 6a 00 69-00 68 00 39 00 38 00 37   ...k.j.i.h.9.8.7
0050 - 00 36 00 88 00 87 00 86-00 85 c0 32 c0 2e c0 2a   .6.........2...*
0060 - c0 26 c0 0f c0 05 00 9d-00 3d 00 35 00 84 c0 2f   .&.......=.5.../
0070 - c0 2b c0 27 c0 23 c0 13-c0 09 00 a4 00 a2 00 a0   .+.'.#..........
0080 - 00 9e 00 67 00 40 00 3f-00 3e 00 33 00 32 00 31   ...g.@.?.>.3.2.1
0090 - 00 30 00 9a 00 99 00 98-00 97 00 45 00 44 00 43   .0.........E.D.C
00a0 - 00 42 c0 31 c0 2d c0 29-c0 25 c0 0e c0 04 00 9c   .B.1.-.).%......
00b0 - 00 3c 00 2f 00 96 00 41-00 07 c0 11 c0 07 c0 0c   .<./...A........
00c0 - c0 02 00 05 00 04 c0 12-c0 08 00 16 00 13 00 10   ................
00d0 - 00 0d c0 0d c0 03 00 0a-00 15 00 12 00 0f 00 0c   ................
00e0 - 00 09 00 ff 01 00 00 55-00 0b 00 04 03 00 01 02   .......U........
00f0 - 00 0a 00 1c 00 1a 00 17-00 19 00 1c 00 1b 00 18   ................
0100 - 00 1a 00 16 00 0e 00 0d-00 0b 00 0c 00 09 00 0a   ................
0110 - 00 23 00 00 00 0d 00 20-00 1e 06 01 06 02 06 03   .#..... ........
0120 - 05 01 05 02 05 03 04 01-04 02 04 03 03 01 03 02   ................
0130 - 03 03 02 01 02 02 02 03-00 0f 00 01 01            .............
^C
➜  openssl-1.0.2e  openssl s_client -debug -showcerts -ssl3 -connect caiyingyuandeiMac.local:5223
CONNECTED(00000003)
write to 0x7fb92bc28740 [0x7fb92c01b403] (158 bytes => 158 (0x9E))
0000 - 16 03 00 00 99 01 00 00-95 03 00 41 bb 3e 5d b7   ...........A.>].
0010 - a8 94 dc ed b1 9c 4c 8a-b6 af 22 69 46 8f 60 30   ......L..."iF.`0
0020 - 57 4d 3c e2 81 20 6f 04-66 5c 70 00 00 6e c0 14   WM<.. o.f\p..n..
0030 - c0 0a 00 39 00 38 00 37-00 36 00 88 00 87 00 86   ...9.8.7.6......
0040 - 00 85 c0 0f c0 05 00 35-00 84 c0 13 c0 09 00 33   .......5.......3
0050 - 00 32 00 31 00 30 00 9a-00 99 00 98 00 97 00 45   .2.1.0.........E
0060 - 00 44 00 43 00 42 c0 0e-c0 04 00 2f 00 96 00 41   .D.C.B...../...A
0070 - 00 07 c0 11 c0 07 c0 0c-c0 02 00 05 00 04 c0 12   ................
0080 - c0 08 00 16 00 13 00 10-00 0d c0 0d c0 03 00 0a   ................
0090 - 00 15 00 12 00 0f 00 0c-00 09 00 ff 01            .............
009e - <SPACES/NULS>
read from 0x7fb92bc28740 [0x7fb92c016e03] (5 bytes => 0 (0x0))
140735279293264:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:656:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1450236085
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
tigase.log.0 (108 KB) tigase.log.0 the error log
tigase.log.0 (108 KB) tigase.log.0 the error log

Added by Wojciech Kapcia TigaseTeam about 3 years ago

In Tigase there is 2 minutes authentication timeout (if the client won't authenticate within this period connection is closed). From the logs:

2015-12-16 11:01:26.644 [in_6-c2s]         ClientConnectionManager.processPacket()  FINEST: Processing packet: from=sess-man@localhost, to=null, DATA=<iq to="c2s@localhost/127.0.0.1_5222_127.0.0.1_51659" id="tig1" from="sess-man@localhost" type="set"><command node="STARTTLS" xmlns="http://jabber.org/protocol/commands"><x xmlns="jabber:x:data" type="submit"/><proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/></command></iq>, SIZE=275, XMLNS=null, PRIORITY=NORMAL, PERMISSION=LOCAL, TYPE=set
2015-12-16 11:01:26.644 [in_6-c2s]         ClientConnectionManager.processCommand()  FINER: Starting TLS for connection: c2s@localhost/127.0.0.1_5222_127.0.0.1_51659, type: accept, Socket: c2s@localhost/127.0.0.1_5222_127.0.0.1_51659 Socket[addr=/127.0.0.1,port=51659,localport=5222], jid: null
2015-12-16 11:01:26.704 [in_6-c2s]         TLSWrapper.<clinit>()              CONFIG:   Supported protocols: (+)SSLv2Hello,(-)SSLv3,(+)TLSv1,(+)TLSv1.1,(+)TLSv1.2
2015-12-16 11:01:26.706 [in_6-c2s]         TLSWrapper.<clinit>()              CONFIG:   Supported ciphers: (+)TLS_RSA_WITH_AES_128_CBC_SHA256,(+)TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,(+)TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,(+)TLS_RSA_WITH_AES_128_CBC_SHA,(+)TLS_DHE_RSA_WITH_AES_128_CBC_SHA,(+)TLS_DHE_DSS_WITH_AES_128_CBC_SHA,(+)SSL_RSA_WITH_3DES_EDE_CBC_SHA,(+)SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,(+)SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,(+)TLS_EMPTY_RENEGOTIATION_INFO_SCSV,(-)TLS_DH_anon_WITH_AES_128_CBC_SHA256,(-)TLS_DH_anon_WITH_AES_128_CBC_SHA,(-)SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,(-)SSL_RSA_WITH_DES_CBC_SHA,(-)SSL_DHE_RSA_WITH_DES_CBC_SHA,(-)SSL_DHE_DSS_WITH_DES_CBC_SHA,(-)SSL_DH_anon_WITH_DES_CBC_SHA,(-)SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,(-)SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,(-)SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,(-)SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA,(-)TLS_RSA_WITH_NULL_SHA256,(-)SSL_RSA_WITH_NULL_SHA,(-)SSL_RSA_WITH_NULL_MD5,(-)TLS_KRB5_WITH_3DES_EDE_CBC_SHA,(-)TLS_KRB5_WITH_3DES_EDE_CBC_MD5,(-)TLS_KRB5_WITH_DES_CBC_SHA,(-)TLS_KRB5_WITH_DES_CBC_MD5,(-)TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA,(-)TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
2015-12-16 11:01:26.706 [in_6-c2s]         TLSWrapper.<clinit>()              CONFIG:   Hardened mode is disabled
2015-12-16 11:01:26.706 [in_6-c2s]         TLSWrapper.<clinit>()              CONFIG:   Enabled protocols: default
2015-12-16 11:01:26.706 [in_6-c2s]         TLSWrapper.<clinit>()              CONFIG:   Workaround for TLS/SSL bug is enabled
2015-12-16 11:01:26.707 [in_6-c2s]         TLSWrapper.<clinit>()              CONFIG:   Enabled ciphers: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
2015-12-16 11:03:26.612 [scheduler_pool-8-thread-1-sess-man]  SessionManager$AuthenticationTimer.run()  FINE: Authentication timeout expired, closing connection: c2s@localhost/127.0.0.1_5222_127.0.0.1_51659
2015-12-16 11:03:26.618 [in_6-message-router]  MessageRouter.processPacket()  FINEST:   Processing packet: from=sess-man@localhost, to=c2s@localhost/127.0.0.1_5222_127.0.0.1_51659, DATA=<iq to="c2s@localhost/127.0.0.1_5222_127.0.0.1_51659" id="tig2" from="sess-man@localhost" type="set"><command node="CLOSE" xmlns="http://jabber.org/protocol/commands"/></iq>, SIZE=173, XMLNS=null, PRIORITY=SYSTEM, PERMISSION=NONE, TYPE=set

It looks like for some reason Psi is not proceeding with TLS.

  • do you see any more entries in XML console in Psi?

  • do you see any prompt regarding the self-signed certificate in Psi? (there should be one and you can accept such certificate)

  • are you able to connect to the server if you disable encryption for that account (and disable enforcing authentication on only encrypted connections)?

Added by steven cai about 3 years ago

Thanks.

The startles error only happened when I was debuging the ligase-server code in eclipse.

If I run the ligase.sh in the catalog of scripts directly, psi+ is able to connect to Tigase XMPP Server without any issues.

Which JAVA IDE do your team use to develop and debug the ligase-server project?

Added by steven cai about 3 years ago

hello,Wojciech Kapcia & Andrzej Wójcik.

Which JAVA IDE do your team use to develop and debug the ligase-server project?

Added by Wojciech Kapcia TigaseTeam about 3 years ago

steven cai wrote:

Thanks.

The startles error only happened when I was debuging the ligase-server code in eclipse.

Do you have all dependencies included (tigase-utils, tigase-xmltools)? Are you opening the project as maven project or importing directly?

If I run the ligase.sh in the catalog of scripts directly, psi+ is able to connect to Tigase XMPP Server without any issues.

Which JAVA IDE do your team use to develop and debug the ligase-server project?

NetBeans, Eclipse and Idea.

    (1-6/6)