On Tue, Apr 21, 2015, at 12:48 PM, Greg Troxel wrote: > > Hans-Christoph Steiner <[email protected]> writes: > > > Does your XMPP server have a TLS certificate from a certificate provider > > that > > is in your trust store of your device? That usually means you bought a TLS > > certificate, but it can also be achieved in other ways, like using > > https://cacert.org and manually including their certs in your device's trust > > store. > > Yes. I have a private CA, and put that CA cert in as an additional > trust anchor. firefox and k-9 accept the host cert without issues. I > do not remember exactly if chatsecure asked me if it was ok to use the > cert. > > Earlier I wrote: > > >> Sat Apr 18 19:38:51 2015 [notice] [22] [10.1.2.3, port=40015] connect > >> Sat Apr 18 19:38:52 2015 [notice] [22] DIGEST-MD5 authentication > >> succeeded: [email protected] 10.1.2.3:40015 TLS > >> Sat Apr 18 19:38:52 2015 [notice] [22] bound: [email protected]/foo > >> Sat Apr 18 19:38:52 2015 [notice] session started: [email protected]/foo > >> Sat Apr 18 19:38:52 2015 [notice] [22] [10.1.2.3, port=40015] disconnect > >> [email protected]/foo, packets: 2 > >> Sat Apr 18 19:38:52 2015 [notice] session ended: [email protected]/foo > >> Sat Apr 18 19:38:52 2015 [notice] user unloaded [email protected] > > I am pretty sure this isn't it, as the server logs above indicate that I > have authenticated, and surely chatsecure should not be sending my xmpp > password to a remote system that has failed TLS negotiation (that's most > of the point of checking for TLS). > > I turned up debugging, and the whole sasl login looks ok on the client > side. But when it looks like it should succeed, chatsecure throws an > exception.
We can look at the Smack source code here: https://github.com/rtreffer/smack/blob/master/source/org/jivesoftware/smack/SASLAuthentication.java#L480 Somehow that seems tied to this "session supported" capability: /** * Notification message saying that the server supports sessions. When a server supports * sessions the client needs to send a Session packet after successfully binding a resource * for the session. */ void sessionsSupported() { sessionSupported = true; } > > > > D/SMACK ( 1493): 12:42:43 pm RCV (1109498760): <iq > xmlns='jabber:client' id='[redacted]' type='result'><bind > xmlns='urn:ietf:params:xml:ns:xmpp-bind'><jid>[email protected]\ > r.bbn.com/n7</jid></bind></iq> > E/GB.XmppConnection( 1493): 0 : exception thrown on connection > E/GB.XmppConnection( 1493): Session establishment not offered by server: > E/GB.XmppConnection( 1493): at > org.jivesoftware.smack.SASLAuthentication.bindResourceAndEstablishSession(SASLAuthentication.java:481) > E/GB.XmppConnection( 1493): at > org.jivesoftware.smack.SASLAuthentication.authenticate(SASLAuthentication.java:348) > E/GB.XmppConnection( 1493): at > org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:204) > E/GB.XmppConnection( 1493): at > info.guardianproject.otr.app.im.plugin.xmpp.XmppConnection.initConnectionAndLogin(XmppConnection.java:997) > E/GB.XmppConnection( 1493): at > info.guardianproject.otr.app.im.plugin.xmpp.XmppConnection.do_login(XmppConnection.java:859) > E/GB.XmppConnection( 1493): at > info.guardianproject.otr.app.im.plugin.xmpp.XmppConnection.access$900(XmppConnection.java:129) > E/GB.XmppConnection( 1493): at > info.guardianproject.otr.app.im.plugin.xmpp.XmppConnection$1.run(XmppConnection.java:819) > E/GB.XmppConnection( 1493): at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112) > E/GB.XmppConnection( 1493): at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587) > E/GB.XmppConnection( 1493): at java.lang.Thread.run(Thread.java:841) > D/GB.XmppConnection( 1493): 0 : not authorized - will not retry > D/GB.XmppConnection( 1493): 0 : will not retry > D/GB.XmppConnection( 1493): 0 : clear ping > D/GB.XmppConnection( 1493): 0 : connection closed > _______________________________________________ > List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev > To unsubscribe, email: [email protected] > Email had 1 attachment: > + Attachment1.2 > 1k (application/pgp-signature) -- Nathan of Guardian [email protected] _______________________________________________ List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To unsubscribe, email: [email protected]
