Fail to authenticate: Failed c2s SCRAM-SHA-512 authentication from ::ffff:10.1.1.93: Incompatible SCRAM methods

[PeterMalkin]

Before creating a ticket, please consider if this should fit the discussion forum better:
https://github.com/processone/ejabberd/discussions

Environment

• ejabberd version: 21.04
• Erlang version: erl +V
• OS: Linux (Debian)
• Installed from: source

FROM debian:buster-slim
RUN apt-get -y update
RUN export DEBIAN_FRONTEND=noninteractive && apt-get -y install apt-utils locales locales-all
RUN sed -i -e 's/# en_US.UTF-8 UTF-8/en_US.UTF-8 UTF-8/' /etc/locale.gen && \
    dpkg-reconfigure --frontend=noninteractive locales && \
    update-locale LANG=en_US.UTF-8
ENV LC_ALL en_US.UTF-8
ENV LANG en_US.UTF-8
ENV LANGUAGE en_US.UTF-8
RUN ln -fs /usr/share/zoneinfo/America/Los_Angeles /etc/localtime
RUN export DEBIAN_FRONTEND=noninteractive && apt-get -y install tzdata
RUN export DEBIAN_FRONTEND=noninteractive && dpkg-reconfigure --frontend noninteractive tzdata
RUN export DEBIAN_FRONTEND=noninteractive && apt-get -y install wget
RUN export DEBIAN_FRONTEND=noninteractive && apt-get -y install libexpat1 
RUN wget https://www.process-one.net/downloads/downloads-action.php?file=/21.04/ejabberd_21.04-0_amd64.deb -O ejabberd_21.04.deb
RUN export DEBIAN_FRONTEND=noninteractive && apt-get -y install ./ejabberd_21.04.deb
COPY ./conf/ejabberdctl.cfg /opt/ejabberd/conf/ejabberdctl.cfg
COPY ./conf/ejabberd.yml /opt/ejabberd/conf/ejabberd.yml
COPY ./conf/cert.pem /opt/ejabberd/conf/cert.pem
COPY ./conf/fullchain.pem /opt/ejabberd/conf/fullchain.pem
COPY ./conf/privkey.pem /opt/ejabberd/conf/privkey.pem
RUN chown ejabberd:ejabberd /opt/ejabberd/conf/*
VOLUME ["/opt/ejabberd/database", "/opt/ejabberd/upload", "/opt/ejabberd/logs"]
EXPOSE 1883 4369-4399 5222 5269 5280 5443
CMD ["/opt/ejabberd-21.04/bin/ejabberdctl", "foreground", "--node", "domain.net"]

Configuration (only if needed): grep -Ev '^$|^\s*#' ejabberd.yml

https://gist.github.com/PeterMalkin/926c28cc73b33054228de4e782b261b3

Errors

2021-05-18 07:01:03.054 [info] <0.382.0>@ejabberd_listener🉑273 (<0.1204.0>) Accepted connection [::ffff:10.1.1.93]:46684 -> [::ffff:172.23.0.5]:5222
2021-05-18 07:01:03.139 [warning] <0.1204.0>@ejabberd_c2s:process_auth_result:276 (tls|<0.1204.0>) Failed c2s SCRAM-SHA-512 authentication from ::ffff:10.1.1.93: Incompatible SCRAM methods

Bug description

Failure to authenticate using several mobile clients.

Tried:
https://play.google.com/store/apps/details?id=im.blabber.messenger
https://play.google.com/store/apps/details?id=eu.siacs.conversations

Phone: Google Pixel 4a

I can successfully connect using other clients, such as aTalks for Android and Dino for Linux
My friend can connect successfully to the same server using conversations android client from a Huawei device

[PeterMalkin]

Sorry, my friends phone is "xiaomi mi mix 2"

[licaon-kter]

Is the database volume fresh or a backup?

[dsvi]

Fresh, it is

[licaon-kter]

Can you install latest ejabberd from buster-backports Debian repo instead and retest?

[dsvi]

21.04 is already the latest

[licaon-kter]

Not what I've said :)

[prefiks]

I think it looks more like client not being able to authenticate using that method than any bug in server. You could try disabling sha512 mechanisms by adding

disable_sasl_mechanisms:
  - "SCRAM-SHA-512"
  - "SCRAM-SHA-512-PLUS"

to your config.

[PeterMalkin]

Thank you for the suggestion,
Disabling SHA-512 still results in inability to authenticate, however a different one

2021-05-19 08:42:50.836 [info] <0.394.0>@ejabberd_listener🉑273 (<0.568.0>) Accepted connection [::ffff:10.1.1.93]:48104 -> [::ffff:172.25.0.3]:5222
2021-05-19 08:42:50.916 [warning] <0.568.0>@ejabberd_c2s:process_auth_result:276 (tls|<0.568.0>) Failed c2s SCRAM-SHA-256 authentication from ::ffff:10.1.1.93: Incompatible SCRAM methods

[licaon-kter]

Now disable that too for 256...

[PeterMalkin]

disable_sasl_mechanisms:

• "SCRAM-SHA-512"
• "SCRAM-SHA-512-PLUS"
• "SCRAM-SHA-256"
• "SCRAM-SHA-256-PLUS"

Allows authentication.

[PeterMalkin]

Now it is useing "DIGEST-MD5 authentication" for auth.
I am curious to know why SHA is not supported between those two codebases

[licaon-kter]

Something is way off. Do try to setup from Debian too and test, as said above, so we can exclude an error in the site .DEB.

[dsvi]

What library do you use to make the secure connection?

[PeterMalkin]

Which .deb do you want me to use exactly?

[licaon-kter]

@PeterMalkin add the Backports repowfirst, then apt install -t buster-backports ejabberd

[PeterMalkin]

It seems buster-backports has an older version of the package: https://packages.debian.org/source/buster-backports/ejabberd
Anyways, I used the 21.01 from debian backports instead of the latest .deb published by the processone, but I am still unable to login

[dsvi]

Kind of weird that i can. On the same server with the same conversation.
Any idea what can it be?
Maybe there is some verbose logging available?

[Neustradamus]

@PeterMalkin, I am not sure to understand, when you have:

disable_sasl_mechanisms:
"SCRAM-SHA-512"
"SCRAM-SHA-512-PLUS"
"SCRAM-SHA-256"
"SCRAM-SHA-256-PLUS"

Do you have SCRAM-SHA-1 or DIGEST-MD5?

[Neustradamus]

@PeterMalkin: It is solved?

[PeterMalkin]

Not sure it is solved. But if you replace the version of the ejabberd to the latest (21.07). And replace your clients - this error does not show up anymore.