[Home]

Summary:ASTERISK-12857: Jabber fails to authenticate when using SSL.
Reporter:Brendan Martens (shrift)Labels:
Date Opened:2008-10-09 14:39:57Date Closed:2011-06-07 14:08:07
Priority:MinorRegression?No
Status:Closed/CompleteComponents:Resources/res_jabber
Versions:Frequency of
Occurrence
Related
Issues:
Environment:Attachments:
Description:The jabber resource will not authenticate in client mode with an SSL connection.

Jabber debug in the console shows a lot of these:
JABBER: servant-jabber OUTGOING: <?xml version='1.0'?><stream:stream xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:client' to='crosscomm.net' version='1.0'>

Here is the error from my apple server:
error: SSL handshake error (error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol)

And here is an error from my openfire server:
2008.10.08 12:40:18 ConnectionHandler:
javax.net.ssl.SSLHandshakeException: SSL handshake failed.
at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:416)
at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:299)
at org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilterChain.java:53)
at org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:648)
at org.apache.mina.common.support.AbstractIoFilterChain$HeadFilter.messageReceived(AbstractIoFilterChain.java:499)
at org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:299)
at org.apache.mina.common.support.AbstractIoFilterChain.fireMessageReceived(AbstractIoFilterChain.java:293)
at org.apache.mina.transport.socket.nio.SocketIoProcessor.read(SocketIoProcessor.java:228)
at org.apache.mina.transport.socket.nio.SocketIoProcessor.process(SocketIoProcessor.java:198)
at org.apache.mina.transport.socket.nio.SocketIoProcessor.access$400(SocketIoProcessor.java:45)
at org.apache.mina.transport.socket.nio.SocketIoProcessor$Worker.run(SocketIoProcessor.java:485)
at org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:51)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:885)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:907)
at java.lang.Thread.run(Thread.java:619)
Caused by: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext connection?
at com.sun.net.ssl.internal.ssl.EngineInputRecord.bytesInCompletePacket(EngineInputRecord.java:152)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:754)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:669)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:607)
at org.apache.mina.filter.support.SSLHandler.unwrap0(SSLHandler.java:658)
at org.apache.mina.filter.support.SSLHandler.unwrapHandshake(SSLHandler.java:614)
at org.apache.mina.filter.support.SSLHandler.handshake(SSLHandler.java:493)
at org.apache.mina.filter.support.SSLHandler.messageReceived(SSLHandler.java:306)
at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:392)
... 14 more


****** ADDITIONAL INFORMATION ******

I got my asterisk from svn tags/1.6.0. I don't know what checkout number it was.
Here is my jabber.conf:

[general]
debug=yes                               ;;Turn on debugging by default.
autoprune=no                            ;;Auto remove users from buddy list. Depending on your
                                       ;;setup (ie, using your personal Gtalk account for a test)
                                       ;;you might lose your contacts list. Default is 'no'.
autoregister=yes                        ;;Auto register users from buddy list.

[servant-jabber]                                ;;label
type=client
serverhost=servant.crosscomm.net        ;;Route to server for example,
                                       ;;;     talk.google.com
username=asterisk@crosscomm.net/asterisk                ;;Username with optional resource.
secret=password                      ;;Password
;priority=1                             ;;Resource priority
port=5223                               ;;Port to use defaults to 5222
usetls=yes                              ;;Use tls or not
usesasl=no                              ;;Use sasl or not
;buddy=mogorman@astjab.org              ;;Manual addition of buddy to list.
;status=available                       ;;One of: chat, available, away,
                                       ;;;     xaway, or dnd
;statusmessage="I am available"         ;;Have custom status message for
                                       ;;;Asterisk.
timeout=15                              ;;Timeout on the message stack.

[bubbletastic-jabber]                           ;;label
type=component
serverhost=bubbletastic.com             ;;Route to server for example,
                                       ;;      talk.google.com
username=asterisk@bubbletastic.com/asterisk             ;;Username with optional resource.
secret=password                 ;;Password
;priority=1                             ;;Resource priority
port=5275                               ;;Port to use defaults to 5222
usetls=no                               ;;Use tls or not
usesasl=no                              ;;Use sasl or not
buddy=shrift@bubbletastic.com           ;;Manual addition of buddy to list.
;status=available                       ;;One of: chat, available, away,
                                       ;;      xaway, or dnd
;statusmessage="I am available"         ;;Have custom status message for
                                       ;;Asterisk.
timeout=15                              ;;Timeout on the message stack.


Note that in this config the bubbletastic server works just fine, it is the [servant-jabber] that fails. I have also set the [bubbletastic-jabber] to use tls and port 5223 and it also failed, that is what the debug output from openfire is above.
Comments:By: phsultan (phsultan) 2008-10-10 07:58:48

Hi shrift, can you try to set port to 5222 with TLS enabled on that port?
By: Brendan Martens (shrift) 2008-10-10 10:07:47

I don't actually think that either of my servers support tls on port 5222, so I'm not sure that port 5222 is worthy of trouble shooting, but here is the asterisk debug of trying to make client connections on port 5222 to both applie iChat and openfire, "servant-jabber" is apple, "bubbletastic-jabbber" is openfire:

[Oct 10 09:59:11] VERBOSE[3630] logger.c:
JABBER: servant-jabber OUTGOING: <?xml version='1.0'?><stream:stream xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:client' to='crosscomm.net' version='1.0'>
[Oct 10 09:59:15] VERBOSE[3630] logger.c:
JABBER: servant-jabber INCOMING: <?xml version='1.0'?><stream:stream xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:client' from='crosscomm.net' version='1.0' id='qnbq5d13xwxrr2u74lj7dzgtvr4xohzs7mrwcywx'><stream:features xmlns:stream='http://etherx.jabber.org/streams'><starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'><required/></starttls></stream:features>
[Oct 10 09:59:15] VERBOSE[3630] logger.c:
JABBER: servant-jabber OUTGOING: <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
[Oct 10 09:59:15] VERBOSE[3630] logger.c:
JABBER: servant-jabber INCOMING: <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
[Oct 10 09:59:15] VERBOSE[3630] logger.c:
JABBER: servant-jabber OUTGOING: <?xml version='1.0'?><stream:stream xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:client' to='crosscomm.net' version='1.0'>
[Oct 10 09:59:15] VERBOSE[3630] logger.c:
JABBER: servant-jabber INCOMING: <?xml version='1.0'?><stream:stream xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:client' from='crosscomm.net' version='1.0' id='gc3njb2n0yiodvokl8jv4agmgnx5kp0ud04obtsm'>
[Oct 10 09:59:15] VERBOSE[3630] logger.c:
JABBER: servant-jabber OUTGOING: <iq type='set' id='aaaaf' to='crosscomm.net'><query xmlns='jabber:iq:auth'><username>asterisk</username><resource>asterisk</resource><digest>3d350f9485cc4accc94d732d87a7079b457cd96b</digest></query></iq>
[Oct 10 09:59:15] VERBOSE[3630] logger.c:
JABBER: servant-jabber INCOMING: <stream:features xmlns:stream='http://etherx.jabber.org/streams'><mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><mechanism>GSSAPI</mechanism></mechanisms></stream:features>
[Oct 10 09:59:15] VERBOSE[3630] logger.c:
JABBER: servant-jabber INCOMING: <iq xmlns='jabber:client' from='crosscomm.net' id='aaaaf' type='error'><error code='401'/><query xmlns='jabber:iq:auth'><username>asterisk</username><resource>asterisk</resource><digest>3d350f9485cc4accc94d732d87a7079b457cd96b</digest></query></iq>




[Oct 10 09:59:45] VERBOSE[3629] logger.c:
JABBER: bubbletastic-jabber OUTGOING: <?xml version='1.0'?><stream:stream xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:client' to='bubbletastic.com' version='1.0'>
[Oct 10 09:59:50] VERBOSE[3629] logger.c:
JABBER: bubbletastic-jabber INCOMING: <?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="bubbletastic.com" id="ac91f7db" xml:lang="en" version="1.0">
[Oct 10 09:59:50] VERBOSE[3629] logger.c:
JABBER: bubbletastic-jabber OUTGOING: <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
[Oct 10 09:59:50] VERBOSE[3629] logger.c:
JABBER: bubbletastic-jabber INCOMING: <stream:features><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"></starttls><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>DIGEST-MD5</mechanism><mechanism>PLAIN</mechanism><mechanism>CRAM-MD5</mechanism></mechanisms><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression><auth xmlns="http://jabber.org/features/iq-auth"/><register xmlns="http://jabber.org/features/iq-register"/></stream:features>
[Oct 10 09:59:51] VERBOSE[3629] logger.c:
JABBER: bubbletastic-jabber INCOMING: <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
[Oct 10 09:59:53] VERBOSE[3629] logger.c:
JABBER: bubbletastic-jabber OUTGOING: <?xml version='1.0'?><stream:stream xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:client' to='bubbletastic.com' version='1.0'>
[Oct 10 09:59:54] VERBOSE[3629] logger.c:
JABBER: bubbletastic-jabber INCOMING: <?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="bubbletastic.com" id="ac91f7db" xml:lang="en" version="1.0"><stream:features><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>DIGEST-MD5</mechanism><mechanism>PLAIN</mechanism><mechanism>CRAM-MD5</mechanism></mechanisms><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression><auth xmlns="http://jabber.org/features/iq-auth"/><register xmlns="http://jabber.org/features/iq-register"/></stream:features>
[Oct 10 09:59:54] VERBOSE[3629] logger.c:
JABBER: bubbletastic-jabber OUTGOING: <iq type='set' id='aaaaf' to='bubbletastic.com'><query xmlns='jabber:iq:auth'><username>asterisk</username><resource>asterisk</resource><digest>1e573f443d80d2a59dae7414633662e3d811c7d9</digest></query></iq>
[Oct 10 09:59:54] VERBOSE[3629] logger.c:
JABBER: bubbletastic-jabber INCOMING: <iq type="error" id="aaaaf" from="bubbletastic.com" to="bubbletastic.com/ac91f7db"><query xmlns="jabber:iq:auth"><username>asterisk</username><resource>asterisk</resource><digest>1e573f443d80d2a59dae7414633662e3d811c7d9</digest></query><error code="401" type="auth"><not-authorized xmlns="urn:ietf:params:xml:ns:xmpp-stanzas"/></error></iq>


Also after doing that stuff I tried to login to my servers with port 5222 and ssl, neither of them let me do it, that was using the iChat client. When I tried this with the Spark (openfire's client app) there wasn't even an option to use ssl with port 5222.


One other issue worth noting is that when I make changes in the jabber.conf they don't seem to take effect on a jabber reload, I have to do core restart now, shall I open a bug for that?
By: phsultan (phsultan) 2008-10-10 17:11:20

According to the standards, both your servers must support TLS and implement it on the IANA registered XMPP client port (5222), see :
http://xmpp.org/rfcs/rfc3920.html#tls
http://xmpp.org/rfcs/rfc3920.html#diffs

The debug output you gave show that both indeed implement it (check the starttls tags). You can make sure the connection is effectively encrypted by issuing a network capture.

They also require you to authenticate with SASL, so you should set the 'usesasl' option to 'yes' in your jabber.conf file.

You should extend the allowed SASL mechanisms to PLAIN or DIGEST-MD5 on 'crosscomm.net', because Asterisk won't authenticate using GSSAPI.


By: Brendan Martens (shrift) 2008-10-13 08:12:25

Thanks for looking at this.

I have tried many things to get this to work on the apple server, but their configuration seems to be very one client (iChat) tracked. Very frustrating. I'll not ask for help here getting that figured out as it's an issue with the auth mechs that they setup with their configuration.

As for my openfire server, I did indeed get it to work on port 5222 with SSL and sasl turned on. If I leave all settings the same but change the port to 5223 then the connection fails... While it is good that it works correctly on port 5222, my openfire does support 5223 and there should probably be some better information returned to the console if asterisk will not work with a client on 5223.

Again, thanks for the help.
By: Brendan Martens (shrift) 2008-10-13 08:29:00

One question related to making this work with my apple server... Is gssapi support going to make it into asterisk at any point in the near future?
By: phsultan (phsultan) 2008-10-25 16:46:16

Hi shrift, I don't expect to have GSSAPI included in Asterisk soon. But we'll review the patches if any.

Thanks for reporting back!

Philippe