[swift-users] Swift with Openfire 4.1

Kevin Smith kevin.smith at isode.com
Thu Jan 5 16:38:17 UTC 2017


Hi Ryan,
On 5 Jan 2017, at 15:40, Ryan Hammond <ryan.hammond at di2e.net> wrote:
> 
> We upgraded openfire from 4.0.4 to 4.1.1 this morning.  Suddenly, Swift clients can't connect, getting an "Login/password invalid" error.  Here's a representative stanza:

This looks rather like a bug or misconnfiguration in the server at first glance. Looking at the trace

(snip a bit)

> <!-- IN 2017-01-05T16:21:44 -->
> <?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="chat.di2e.net" id="6ld1lagz9i" xml:lang="en" version="1.0"><stream:features><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>PLAIN</mechanism><mechanism>EXTERNAL</mechanism></mechanisms><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression><auth xmlns="http://jabber.org/features/iq-auth"/></stream:features>

The server offers two authentication mechanisms - PLAIN, which means “give me a password”, and EXTERNAL, which roughly means “You can avoid further authentication, I’ve already authenticated you by other means (usually by providing a client certificate/CAC/similar)”.

> <!-- OUT 2017-01-05T16:21:44 -->
> <auth xmlns="urn:ietf:params:xml:ns:xmpp-sasl" mechanism="EXTERNAL">=</auth>

So Swift says “Well, if you’ve authenticated me already, let’s just use that"

> <!-- IN 2017-01-05T16:21:44 -->
> <failure xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><not-authorized/></failure>

And the server says “Sorry, you’re not authenticated”.

> Other clients (Pidgin, Adium, Transverse) work just fine.

I would guess that they don’t support EXTERNAL (certificate/smartcard/etc.) auth, or that they have different logic (e.g. if they always authenticate with a password even when the server says they don’t need to).

> Any ideas?  I do not know that we need EXTERNAL SASL support but I also don't see how to turn that off in the server.

I don’t think I have much to offer here, I’m afraid, the core issue seems to be the server offering EXTERNAL to a session that can’t use it, and I don’t have any advice on how to resolve that.

/K


More information about the swift-users mailing list