SASL/SCRAM-SHA support using another xmpp lib

[vrajroutu]

2018/11/08 21:51:13 Connecting to dr-openfire.lamar.com:5222 2018/11/08 21:51:13 Start TLS 2018/11/08 21:51:13 Authenticating 2018/11/08 21:51:13 no supported SASL mechanism found

My Openfire config

`

sasl.mechs.00001 | DIGEST-MD5 |   |   |  

sasl.mechs.00002 | SCRAM-SHA-1

`

[SamWhited]

You need to enable SASL PLAIN auth in Openfire.

[tmsmr]

Hi @kishorerv93. As @SamWhited mentioned, the underlying package i'm using only supports SASL PLAIN.

@SamWhited Thx for helping. I'm suprised someone is actually using this tool tbh 😄. And then another guy (you) is even answering questions. May i ask if this was just coincidence? Was it the XMPP tag?

[SamWhited]

@opthomas-prime Sure thing; glad I could be of service. I'm not using this project right this moment, but I was setting up an alertmanager instance and wanted a way to get alerts on my phone without paying for an expensive notifications service so I was looking into using our existing chat service (conversations.im) and started watching this.

If you're interested in adding SCRAM support to the library you use, I have an implementation that I built for another (also XMPP related) project here: https://godoc.org/mellium.im/sasl

[tmsmr]

@SamWhited I'm considering switching the lib anyway. So let's see 😄

[alexanderadam]

At least there's already an open issue for it in go-xmpp.

[tmsmr]

I don't think there will be any changes in https://github.com/mattn/go-xmpp tbh. I'll check for other libs tomorrow. IF there are alternatives i'll reopen the issue.

[SamWhited]

Shameless self promotion: I just did a release of mellium.im/xmpp that I think will make the API more or less stable (though it's still not 1.0 and I'm not making any guarantees, it's waiting on some changes to the encoding/xml package that may still break things). I'm not sure if it would fit your needs or not (right now it's a bit low-level, I'd like to do a higher-level client package at some point), but I'd be curious to get your feedback on the design and API either way if you evaluate it or have the time to take a look.

The only other maintained XMPP library that I'm aware of is gosrc.io/xmpp in case you want to compare. I believe this one is maintained and owned by ProcessOne (the ejabberd folks).

[tmsmr]

Hey @SamWhited! Thanks for your input. I'll check your lib first. Are you availlable on IRC if i have problems/questions?

[SamWhited]

@opthomas-prime I can be; I normally don't leave it on, but I'll try to stay logged in even when I'm away from my computer today so I can get back to you. I'm SamWhited on Freenode, Mozilla, or GeekShed. Also my JID is the same as my email (sam@samwhited.com) if you prefer either of those. Just say hi and don't wait for a subscription; I don't normally add people as friends first.

[tmsmr]

@SamWhited Great. I won't be able to check this today. I'll just ping you here if you are not online on freenode Freenode tomorrow!?

[SamWhited]

@opthomas-prime if you could drop me an email or message me on any XMPP compatible service instead I'd appreciate it. I'll try to remember to log in on IRC tomorrow too though.

[tmsmr]

@SamWhited We'll find a way :D. No need to stay online for this - we got plenty of time...

[tmsmr]

Hi @SamWhited i started to play around with mellium.im/xmpp.
Unfortunately i got some problems (Mainly caused by lacking knowledge with XMPP i guess...).

https://github.com/opthomas-prime/xmpp-webhook/blob/mellium-xmpp/main.go#L21

• The server i'm connecting to has no SRV records, so i had to use a custom dialer (NoLookup: true).
• The server i'm connecting to has only StartTLS enabled (forced) and no dedicated TLS Port, so i had to specify NoTLS: true

I'm not sure if im doing this correctly. This feels kinda wrong. Shouldn't the XMPP lib figure out how to connect to a server? Maybe i was just lucky with our configuration, but github.com/emgee/go-xmpp/src/xmpp 'just worked'.

https://github.com/opthomas-prime/xmpp-webhook/blob/mellium-xmpp/main.go#L74 fails with https://github.com/mellium/xmpp/blob/master/session.go#L360

• 'tok' is 'version='1.0'
• The value doesn't seem to be complete garbage - do you have any hints?

[SamWhited]

I'm not sure if im doing this correctly. This feels kinda wrong. Shouldn't the XMPP lib figure out how to connect to a server?

For the most part it does, but you do have to specify no TLS, otherwise it could be subject to downgrade attacks. I suppose I could change things to make setting NoTLS just allow fallback, but that seems like it could be risky and that people would set it without understanding the consequences. I'll have to think about that one.

The value doesn't seem to be complete garbage - do you have any hints?

I've never seen that before; any chance you can record the stream and send me a copy? This definitely should never be hit so that sounds like a pretty serious bug in either the server or my library (and it's more likely to be my library).

[SamWhited]

I forgot to mention, if you do have an XMPP account anywhere a handful of us hang out in golang@conference.samwhited.com, a Go focused room on my server. You'd be welcome to join us and ask any questions there (or I'm online now so feel free to ping me on IRC).

[Neustradamus]

Do you know Jackal?

• https://github.com/ortuman/jackal

[alexanderadam]

@Neustradamus Jackal is a XMPP server and not a client library, or am I missing something here?

[Neustradamus]

Yes it is an XMPP server, it is only an information ^^

[Neustradamus]

Linked to:

• State of Play scram-sasl/info#1

[tmsmr]

Thanks for the info @Neustradamus. I am currently trying to switch to Sam's XMPP lib (mellium.im/xmpp/). Unfortunately there are some problems with ejabberd and i am not able (time-wise) to support Sam at the moment with the required informations to fix these things. I will have some spare time in the upcoming weekends and will try to sort things out then...

[Neustradamus]

@opthomas-prime: Yes for @SamWhited lib, it is a good news.
Have you tested Jackal XMPP server?
It must to be a solution to replace your ejabberd?
Not all features yet but maybe good to contrib?
Contact @ortuman, the main dev for more informations...

[tmsmr]

@Neustradamus No, i haven't. We are using ejabberd in the company im working at - there are currently no plans to replace it, since it does a pretty good job. But when the current isses/features in this project are resolved/done, i'll test the webhook against some servers (Including Jackal).

[tmsmr]

I decided that we have to switch to Prosody at our company. I wasn't able to track down the problem with Sam's XMPP lib and our Ejabberd Version/Environment completely - so i'm trying to be pragmatic 😄...
I'm going to work on the required steps to switch to Sam's lib in the coming days...

[tmsmr]

@kishorerv93 SASL/SCRAM should work now in https://github.com/opthomas-prime/xmpp-webhook/tree/mellium-xmpp. It would be great if you guys (If you are actually using this tool) could test if the connection/discovery with your Jabber-Server is still working correctly...

[tmsmr]

Fixed with #11

[Neustradamus]

@opthomas-prime: Thanks for your changes!

Now it works for SCRAM-SHA-1 + SCRAM-SHA-1-PLUS + SCRAM-SHA-256 + SCRAM-SHA-256-PLUS and other?

[tmsmr]

It now supports: SASL PLAIN, SCRAM-SHA-1 and SCRAM-SHA-1-PLUS

[alexanderadam]

@Neustradamus to be more specific: it supports exactly the same things that mellium/xmpp supports.
So this means if you are missing something, it should be handled in the dedicated issue tracker of the library.

[Neustradamus]

@SamWhited, mellium/xmpp does not support SCRAM-SHA-256 and SCRAM-SHA-256-PLUS?

[SamWhited]

@Neustradamus it supports whatever you want to write using it, but those are also builtin. See the list of Mechanism's.

[tmsmr]

Hi @Neustradamus, @SamWhited and @alexanderadam. This is indeed a configuration on my side. I totally missed, that SCRAM-SHA-256 and SCRAM-SHA-256-PLUS is supported by https://github.com/mellium/xmpp/ aswell. I'll test and fix that ASAP!

[SamWhited]

It's not really a big deal either way, very few people support SCRAM-SHA-256, and those that do also likely support SHA-1, but thanks for looking into it :)

[tmsmr]

I want to get the best out of your lib @SamWhited 😄, so thanks for the hint. Is anyone able to test SCRAM-SHA-256 if i add it to the supported methods?

[tmsmr]

(Finally/Hopefully) fixed with d4329d0

[Neustradamus]

@opthomas-prime: Thanks!
Are you sure about the order?
It must be 256-PLUS>256>1-PLUS>1>PLAIN, no?

[tmsmr]

You are right, my bad. I changed and amended it... (-> 90dd350)