Project

General

Profile

Tigase client certificate authentication failed -not-authorized

Isuru Sampath
Added about 4 years ago

Hi,

I am using tigase server for certificate based log in. My server certificate and client certificate both are signed by a private CA. I have configured server to accept client certificates from my private CA.

Configuration are as follows.

Init.properties

--comp-class-1 = tigase.muc.MUCComponent
--virt-hosts = interdev.xmpp.lk
--user-db-uri = jdbc:mysql://localhost/tigasedb?user=tigase&password=tigase12
--user-db = mysql
--admins = admin@interdev.xmpp.lk
--comp-name-4 = message-archive
--comp-name-3 = proxy
config-type = --gen-config-def
--comp-name-2 = pubsub
--comp-name-1 = muc
--cluster-mode = true
--sm-plugins = -message-archive-xep-0136,+jabber:iq:auth,+urn:ietf:params:xml:ns:xmpp-sasl,+urn:ietf:params:xml:ns:xmpp-bind,+urn:ietf:params:xml:ns:xmpp-session,+jabber:iq:register,+jabber:iq:roster,+presence,+jabber:iq:privacy,+jabber:iq:version,+http://jabber.org/protocol/stats,+starttls,+msgoffline,+vcard-temp,+http://jabber.org/protocol/commands,+jabber:iq:private,+urn:xmpp:ping,+basic-filter,+domain-filter,+pep,-zlib
--debug = server,xmpp
--vhost-tls-required=true
c2s/clientCertCA=/root/tigase/certs/ssCA.pem
--ssl-certs-location = /root/tigase/certs
basic-conf/auth-repo-params/sasl-mechs=PLAIN,DIGEST-MD5
--comp-class-4 = tigase.archive.MessageArchiveComponent
--comp-class-3 = tigase.socks5.Socks5ProxyComponent
--comp-class-2 = tigase.pubsub.PubSubComponent

ssCA.pem is my private CA certificate.

I am using jitsi as my client to log in to server. But it gives following error message.

condition: not-authorized .

certificates are exchanged. This error gives in XMPP/XML messages.

I am new to tigase and please give me a solution to this error.


Replies (9)

Avatar?id=6098&size=32x32

Added by Bartosz Malkowski TigaseTeam about 4 years ago

Show me list of SASL mechanisms returned by server in stream:features.

Added by Isuru Sampath about 4 years ago

This is what server sent in xmpp features..

MECHANISMS [xmlns="urn:ietf:params:xml:ns:xmpp-sasl"]

MECHANISMS [xmlns="urn:ietf:params:xml:ns:xmpp-sasl"]

MECHANISM: PLAIN

MECHANISM: ANONYMOUS

MECHANISM: EXTERNAL
Avatar?id=6098&size=32x32

Added by Bartosz Malkowski TigaseTeam about 4 years ago

OK. Mechanism External is present, so certificate was loaded corectly ( I hope).

Show me also Tigase logs for this session, please.

Added by Isuru Sampath about 4 years ago

Please check attached log files.

This exception is thrown in user log file.

javax.security.sasl.SaslException: Callback not supported by handler [Caused by javax.security.auth.callback.UnsupportedCallbackException: Unrecognized Callback]

    at tigase.auth.mechanisms.AbstractSasl.handleCallbacks(AbstractSasl.java:53)

    at tigase.auth.mechanisms.SaslEXTERNAL.evaluateResponse(SaslEXTERNAL.java:40)

    at tigase.xmpp.impl.SaslAuth.process(SaslAuth.java:308)

    at tigase.server.xmppsession.SessionManager$ProcessorWorkerThread.process(SessionManager.java:2689)

    at tigase.util.WorkerThread.run(WorkerThread.java:132)

Caused by: javax.security.auth.callback.UnsupportedCallbackException: Unrecognized Callback

    at tigase.auth.impl.AuthRepoPlainCallbackHandler.handleCallback(AuthRepoPlainCallbackHandler.java:148)

    at tigase.auth.impl.AuthRepoPlainCallbackHandler.handle(AuthRepoPlainCallbackHandler.java:75)

    at tigase.auth.mechanisms.AbstractSasl.handleCallbacks(AbstractSasl.java:49)

    at tigase.auth.mechanisms.SaslEXTERNAL.evaluateResponse(SaslEXTERNAL.java:40)

    at tigase.xmpp.impl.SaslAuth.process(SaslAuth.java:308)

    at tigase.server.xmppsession.SessionManager$ProcessorWorkerThread.process(SessionManager.java:2689)

    at tigase.util.WorkerThread.run(WorkerThread.java:132)
Avatar?id=6098&size=32x32

Added by Bartosz Malkowski TigaseTeam about 4 years ago

Please add to you @init.properties@:

sess-man/plugins-conf/callbackhandler-EXTERNAL=tigase.auth.impl.CertBasedCallbackHandler

Added by Isuru Sampath about 4 years ago

Added.

my new init.properties is like this.

--comp-class-1 = tigase.muc.MUCComponent
--virt-hosts = interdev.xmpp.lk
--user-db-uri = jdbc:mysql://localhost/tigasedb?user=tigase&password=tigase12
--user-db = mysql
--admins = admin@interdev.xmpp.lk
--comp-name-4 = message-archive
--comp-name-3 = proxy
config-type = --gen-config-def
--comp-name-2 = pubsub
--comp-name-1 = muc
--cluster-mode = true
--sm-plugins = -message-archive-xep-0136,+jabber:iq:auth,+urn:ietf:params:xml:ns:xmpp-sasl,+urn:ietf:params:xml:ns:xmpp-bind,+urn:ietf:params:xml:ns:xmpp-session,+jabber:iq:register,+jabber:iq:roster,+presence,+jabber:iq:privacy,+jabber:iq:version,+http://jabber.org/protocol/stats,+starttls,+msgoffline,+vcard-temp,+http://jabber.org/protocol/commands,+jabber:iq:private,+urn:xmpp:ping,+basic-filter,+domain-filter,+pep,-zlib
--debug = server,xmpp
--vhost-tls-required=true
c2s/clientCertCA=/root/tigase/certs/ssCA.pem
--ssl-certs-location = /root/tigase/certs
basic-conf/auth-repo-params/sasl-mechs=PLAIN,DIGEST-MD5
--comp-class-4 = tigase.archive.MessageArchiveComponent
--comp-class-3 = tigase.socks5.Socks5ProxyComponent
--comp-class-2 = tigase.pubsub.PubSubComponent
sess-man/plugins-conf/callbackhandler-EXTERNAL=tigase.auth.impl.CertBasedCallbackHandler

but still jitsi client doesn't connect to the server. This time it gives an xmpp failure error "condition: invalid-authzid".

i have checked for log files and below exception is thrown.

Request: from=c2s@interdev.xmpp.lk/10.20.34.18_5222_10.20.34.26_59590, to=sess-man@interdev.xmpp.lk, DATA=<auth mechanism="EXTERNAL" xmlns="urn:ietf:params:xml:ns:xmpp-sasl"/>, SIZE=69, XMLNS=urn:ietf:params:xml:ns:xmpp-sasl, PRIORITY=NORMAL, PERMISSION=NONE, TYPE=null, conn: user_jid=null, packets=2, connectioId=c2s@interdev.xmpp.lk/10.20.34.18_5222_10.20.34.26_59590, domain=interdev.xmpp.lk, authState=NOT_AUTHORIZED, isAnon=false, isTmp=false, authorization: null
2014-12-16 14:44:06.612 [urn:ietf:params:xml:ns:xmpp-sasl Queue Worker 1]  SaslAuth.process()  FINER: SASL unsuccessful
tigase.auth.XmppSaslException
        at tigase.auth.mechanisms.SaslEXTERNAL.evaluateResponse(SaslEXTERNAL.java:45)
        at tigase.xmpp.impl.SaslAuth.process(SaslAuth.java:308)
        at tigase.server.xmppsession.SessionManager$ProcessorWorkerThread.process(SessionManager.java:2689)
        at tigase.util.WorkerThread.run(WorkerThread.java:132)

please find the log files i have attached for more info..

Avatar?id=6098&size=32x32

Added by Bartosz Malkowski TigaseTeam about 4 years ago

Are you sure your certificate has your JID?

See XEP-0178

As specified in RFC 3920 and updated in RFC 6120, during the stream negotiation process an XMPP client can present a certificate (a "client certificate"). If a JabberID is included in a client certificate, it is encapsulated as an id-on-xmppAddr Object Identifier ("xmppAddr"), i.e., a subjectAltName entry of type otherName with an ASN.1 Object Identifier of "id-on-xmppAddr" as specified in Section 13.7.1.4 of RFC 6120.

Added by Isuru Sampath about 4 years ago

Yes certificate has JID in subject alternative name. please see this screen shot of the trace. pls tell me if there is something wrong.

trace.jpg (468 KB) trace.jpg

Added by Isuru Sampath about 4 years ago

I don't know what is the wrong. JID is also included in the certificate. But it seems the problem is with JID. Can u please tell me how to generate a certificate with JID if the problem with the certificate generation process.

    (1-9/9)