[asterisk-bugs] [Asterisk 0013656]: Jabber fails to authenticate when using SSL.
Asterisk Bug Tracker
noreply at bugs.digium.com
Fri Oct 10 17:11:20 CDT 2008
A NOTE has been added to this issue.
======================================================================
http://bugs.digium.com/view.php?id=13656
======================================================================
Reported By: shrift
Assigned To: phsultan
======================================================================
Project: Asterisk
Issue ID: 13656
Category: Resources/res_jabber
Reproducibility: always
Severity: minor
Priority: normal
Status: assigned
Asterisk Version: 1.6.0
SVN Branch (only for SVN checkouts, not tarball releases): 1.6.0
SVN Revision (number only!):
Disclaimer on File?: N/A
Request Review:
======================================================================
Date Submitted: 2008-10-09 14:39 CDT
Last Modified: 2008-10-10 17:11 CDT
======================================================================
Summary: Jabber fails to authenticate when using SSL.
Description:
The jabber resource will not authenticate in client mode with an SSL
connection.
Jabber debug in the console shows a lot of these:
JABBER: servant-jabber OUTGOING: <?xml version='1.0'?><stream:stream
xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:client'
to='crosscomm.net' version='1.0'>
Here is the error from my apple server:
error: SSL handshake error (error:140760FC:SSL
routines:SSL23_GET_CLIENT_HELLO:unknown protocol)
And here is an error from my openfire server:
2008.10.08 12:40:18 ConnectionHandler:
javax.net.ssl.SSLHandshakeException: SSL handshake failed.
at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:416)
at
org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:299)
at
org.apache.mina.common.support.AbstractIoFilterChain.access$1100(AbstractIoFilterChain.java:53)
at
org.apache.mina.common.support.AbstractIoFilterChain$EntryImpl$1.messageReceived(AbstractIoFilterChain.java:648)
at
org.apache.mina.common.support.AbstractIoFilterChain$HeadFilter.messageReceived(AbstractIoFilterChain.java:499)
at
org.apache.mina.common.support.AbstractIoFilterChain.callNextMessageReceived(AbstractIoFilterChain.java:299)
at
org.apache.mina.common.support.AbstractIoFilterChain.fireMessageReceived(AbstractIoFilterChain.java:293)
at
org.apache.mina.transport.socket.nio.SocketIoProcessor.read(SocketIoProcessor.java:228)
at
org.apache.mina.transport.socket.nio.SocketIoProcessor.process(SocketIoProcessor.java:198)
at
org.apache.mina.transport.socket.nio.SocketIoProcessor.access$400(SocketIoProcessor.java:45)
at
org.apache.mina.transport.socket.nio.SocketIoProcessor$Worker.run(SocketIoProcessor.java:485)
at
org.apache.mina.util.NamePreservingRunnable.run(NamePreservingRunnable.java:51)
at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:885)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:907)
at java.lang.Thread.run(Thread.java:619)
Caused by: javax.net.ssl.SSLException: Unrecognized SSL message, plaintext
connection?
at
com.sun.net.ssl.internal.ssl.EngineInputRecord.bytesInCompletePacket(EngineInputRecord.java:152)
at
com.sun.net.ssl.internal.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:754)
at
com.sun.net.ssl.internal.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:669)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:607)
at
org.apache.mina.filter.support.SSLHandler.unwrap0(SSLHandler.java:658)
at
org.apache.mina.filter.support.SSLHandler.unwrapHandshake(SSLHandler.java:614)
at
org.apache.mina.filter.support.SSLHandler.handshake(SSLHandler.java:493)
at
org.apache.mina.filter.support.SSLHandler.messageReceived(SSLHandler.java:306)
at org.apache.mina.filter.SSLFilter.messageReceived(SSLFilter.java:392)
... 14 more
======================================================================
----------------------------------------------------------------------
(0093512) phsultan (manager) - 2008-10-10 17:11
http://bugs.digium.com/view.php?id=13656#c93512
----------------------------------------------------------------------
According to the standards, both your servers must support TLS and
implement it on port the IANA registered XMPP client port (5222), see :
http://xmpp.org/rfcs/rfc3920.html#tls
http://xmpp.org/rfcs/rfc3920.html#diffs
The debug output you gave show that both indeed implement it (check the
starttls tags). You can make sure the connection is effectively encrypted
by issuing a network capture.
They also require you to authenticate with SASL, so you should set the
'usesasl' option to 'yes' in your jabber.conf file.
You should extend the allowed SASL mechanisms to PLAIN or DIGEST-MD5 on
'crosscomm.net', because Asterisk won't authenticate using GSSAPI.
Issue History
Date Modified Username Field Change
======================================================================
2008-10-10 17:11 phsultan Note Added: 0093512
======================================================================
More information about the asterisk-bugs
mailing list