Skip navigation
Up to Discussions in Openfire Dev
2689 Views 2 Replies Latest reply: Sep 16, 2006 3:52 PM by Norman Rasmussen RSS
Norman Rasmussen Bronze
Norman Rasmussen
83 posts since
Feb 12, 2006
Currently Being Moderated

Sep 16, 2006 2:45 PM

[BUG] SASL mechanisms provided if TLS is required

RFC 3920: Section 6.2.2:

                                                                 If Use

       of TLS (Section 5) needs to be established before a particular

       authentication mechanism may be used, the receiving entity MUST

       NOT provide that mechanism in the list of available SASL

       authentication mechanisms prior to TLS negotiation.  

 

so in /src/java/org/jivesoftware/wildfire/ClientSession.java: (line ~300)

 

        sb.append("");

        }

        if (connection.getTlsPolicy() != Connection.TLSPolicy.required) {

            // Include available SASL Mechanisms

            sb.append(SASLAuthentication.getSASLMechanisms(session));

        }

        // Include Stream features

        String specificFeatures = session.getAvailableStreamFeatures();

        if (specificFeatures != null) {

            sb.append(specificFeatures);

        }

        sb.append("</stream:features>");

  • LG KeyContributor
    LG
    5,935 posts since
    Dec 13, 2005
    Currently Being Moderated
    Sep 16, 2006 3:35 PM (in response to Norman Rasmussen)
    Re: [BUG] SASL mechanisms provided if TLS is required

    Hi Norman,

     

    this seems to be the only location where the SASL authentication methods are sent to the client, so if you change it like this the server seems to be no longer able to send SASL methods. Or did I miss something?

     

    Does this RFC also apply for s2s, there''s very similar code in IncomingServerSession.java?

     

    LG

    • Norman Rasmussen Bronze
      Norman Rasmussen
      83 posts since
      Feb 12, 2006
      Currently Being Moderated
      Sep 16, 2006 3:52 PM (in response to LG)
      Re: [BUG] SASL mechanisms provided if TLS is required

      Ahh, then my guess would be that the SASLAuthentication.getSASLMechanisms call should be moved into the getAvailableStreamFeatures method at the same place that the iq-auth is announced.

       

      And on the IncomingServerSession you''d need to do a similar check for ''is tls required''/''issecure'', and only announce the sasl mechs if it''s secure, or doesn''t require tls.

       

      Message was edited by: normanr

More Like This

  • Retrieving data ...

Bookmarked By (0)