[gentoo-user] pidgin, ssl, and xmpp

[gentoo-user] pidgin, ssl, and xmpp

[Andrey Moshbear]

With the following pidgin debug log:
21:46:56) account: Connecting to account XXX@gmail.com/.
(21:46:56) connection: Connecting. gc = 0x1d44780
(21:46:56) dnssrv: querying SRV record for gmail.com:
_xmpp-client._tcp.gmail.com
(21:46:56) dnssrv: found 5 SRV entries
(21:46:56) dnsquery: Performing DNS lookup for xmpp.l.google.com
(21:46:56) dns: Successfully sent DNS request to child 805
(21:46:56) dns: Got response for 'xmpp.l.google.com'
(21:46:56) dnsquery: IP resolved for xmpp.l.google.com
(21:46:56) proxy: Attempting connection to 209.85.225.125
(21:46:56) proxy: Connecting to xmpp.l.google.com:5222 with no proxy
(21:46:56) proxy: Connection in progress
(21:46:56) proxy: Connecting to xmpp.l.google.com:5222.
(21:46:56) proxy: Connected to xmpp.l.google.com:5222.
(21:46:56) jabber: Sending (XXX@gmail.com): <?xml version='1.0' ?>
(21:46:56) jabber: Sending (XXX@gmail.com): <stream:stream
to='gmail.com' xmlns='jabber:client'
xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>
(21:46:56) jabber: Recv (138): <stream:stream from="gmail.com"
id="0A69C2453F195AB0" version="1.0"
xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client">
(21:46:56) jabber: Recv (241): <stream:features><starttls
xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required/></starttls><mechanisms
xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>X-GOOGLE-TOKEN</mechanism><mechanism>X-OAUTH2</mechanism></mechanisms></stream:features>
(21:46:56) jabber: Sending (XXX@gmail.com): <starttls
xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
(21:46:56) jabber: Recv (50): <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
(21:46:56) gnutls: Starting handshake with gmail.com
(21:46:56) util: Writing file prefs.xml to directory /home/XXX/.purple
(21:46:56) util: Writing file /home/XXX/.purple/prefs.xml
(21:46:56) gnutls: Handshake complete
(21:46:56) gnutls/x509: Key print:
0c:99:2a:04:72:48:59:1a:3c:cf:ab:60:d0:2a:9e:73:73:42:f0:08
(21:46:56) gnutls/x509: Key print:
dd:7a:7f:13:1d:db:a3:3d:3e:86:70:17:94:83:e6:fe:a6:98:7d:6a
(21:46:56) gnutls: Peer provided 2 certs
(21:46:56) gnutls: Lvl 0 SHA1 fingerprint:
0c:99:2a:04:72:48:59:1a:3c:cf:ab:60:d0:2a:9e:73:73:42:f0:08
(21:46:56) gnutls: Serial: 6d:ca:e4:9f:00:03:00:00:34:be
(21:46:56) gnutls: Cert DN: C=US,ST=California,L=Mountain
View,O=Google Inc.,CN=gmail.com
(21:46:56) gnutls: Cert Issuer DN: C=US,O=Google Inc,CN=Google
Internet Authority
(21:46:56) gnutls: Lvl 1 SHA1 fingerprint:
dd:7a:7f:13:1d:db:a3:3d:3e:86:70:17:94:83:e6:fe:a6:98:7d:6a
(21:46:56) gnutls: Serial: 0b:67:71
(21:46:56) gnutls: Cert DN: C=US,O=Google Inc,CN=Google Internet Authority
(21:46:56) gnutls: Cert Issuer DN: C=US,O=Equifax,OU=Equifax Secure
Certificate Authority
(21:46:56) certificate/x509/tls_cached: Starting verify for gmail.com
(21:46:56) certificate/x509/tls_cached: Checking for cached cert...
(21:46:56) certificate/x509/tls_cached: ...Found cached cert
(21:46:56) gnutls: Attempting to load X.509 certificate from
/home/XXX/.purple/certificates/x509/tls_peers/gmail.com
(21:46:56) certificate/x509/tls_cached: Peer cert matched cached
(21:46:56) util: Writing file
/home/XXX/.purple/certificates/x509/tls_peers/gmail.com
(21:46:56) certificate: Successfully verified certificate for gmail.com
(21:46:56) jabber: Sending (ssl) (XXX@gmail.com): <stream:stream
to='gmail.com' xmlns='jabber:client'
xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>
(21:46:56) jabber: Recv (ssl)(138): <stream:stream from="gmail.com"
id="6C45C0A9313259E1" version="1.0"
xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client">
(21:46:56) jabber: Recv (ssl)(197): <stream:features><mechanisms
xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>PLAIN</mechanism><mechanism>X-GOOGLE-TOKEN</mechanism><mechanism>X-OAUTH2</mechanism></mechanisms></stream:features>
(21:46:56) sasl: sasl_state is -1, failing the mech and trying again
(21:46:56) connection: Connection error on 0x1d44780 (reason: 3
description: Server does not use any supported authentication method)
(21:46:57) account: Disconnecting account XXX@gmail.com/ (0x1a3dbb0)
(21:46:57) connection: Disconnecting connection 0x1d44780
(21:46:57) jabber: Sending (ssl) (XXX@gmail.com): </stream:stream>
(21:46:57) connection: Destroying connection 0x1d44780

and USE flags:
dev-libs/cyrus-sasl-2.1.25 berkdb gdbm java kerberos mysql pam
postgres sqlite ssl -authdaemond -elibc_FreeBSD -ldapdb -openldap
-sample -srp -static-libs -urandom
net-im/pidgin-2.10.1 dbus debug doc gnutls gstreamer gtk idn ncurses
nls perl python sasl spell tcl tk xscreensaver -eds -gadu -groupwise
-meanwhile -networkmanager -prediction -silc -zephyr -zeroconf
net-libs/gnutls-2.10.5 cxx doc lzo nls zlib -bindist -examples -guile -test

where exactly is the SSL problem?

Re: [gentoo-user] pidgin, ssl, and xmpp

[Pandu Poluan]

[-- Attachment #1: Type: text/plain, Size: 5203 bytes --]

On Jan 7, 2012 9:59 AM, "Andrey Moshbear" <andrey.vul@gmail.com> wrote:
>
> With the following pidgin debug log:
> 21:46:56) account: Connecting to account XXX@gmail.com/.
> (21:46:56) connection: Connecting. gc = 0x1d44780
> (21:46:56) dnssrv: querying SRV record for gmail.com:
> _xmpp-client._tcp.gmail.com
> (21:46:56) dnssrv: found 5 SRV entries
> (21:46:56) dnsquery: Performing DNS lookup for xmpp.l.google.com
> (21:46:56) dns: Successfully sent DNS request to child 805
> (21:46:56) dns: Got response for 'xmpp.l.google.com'
> (21:46:56) dnsquery: IP resolved for xmpp.l.google.com
> (21:46:56) proxy: Attempting connection to 209.85.225.125
> (21:46:56) proxy: Connecting to xmpp.l.google.com:5222 with no proxy
> (21:46:56) proxy: Connection in progress
> (21:46:56) proxy: Connecting to xmpp.l.google.com:5222.
> (21:46:56) proxy: Connected to xmpp.l.google.com:5222.
> (21:46:56) jabber: Sending (XXX@gmail.com): <?xml version='1.0' ?>
> (21:46:56) jabber: Sending (XXX@gmail.com): <stream:stream
> to='gmail.com' xmlns='jabber:client'
> xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>
> (21:46:56) jabber: Recv (138): <stream:stream from="gmail.com"
> id="0A69C2453F195AB0" version="1.0"
> xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client">
> (21:46:56) jabber: Recv (241): <stream:features><starttls
> xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required/></starttls><mechanisms
>
xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>X-GOOGLE-TOKEN</mechanism><mechanism>X-OAUTH2</mechanism></mechanisms></stream:features>
> (21:46:56) jabber: Sending (XXX@gmail.com): <starttls
> xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
> (21:46:56) jabber: Recv (50): <proceed
xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
> (21:46:56) gnutls: Starting handshake with gmail.com
> (21:46:56) util: Writing file prefs.xml to directory /home/XXX/.purple
> (21:46:56) util: Writing file /home/XXX/.purple/prefs.xml
> (21:46:56) gnutls: Handshake complete
> (21:46:56) gnutls/x509: Key print:
> 0c:99:2a:04:72:48:59:1a:3c:cf:ab:60:d0:2a:9e:73:73:42:f0:08
> (21:46:56) gnutls/x509: Key print:
> dd:7a:7f:13:1d:db:a3:3d:3e:86:70:17:94:83:e6:fe:a6:98:7d:6a
> (21:46:56) gnutls: Peer provided 2 certs
> (21:46:56) gnutls: Lvl 0 SHA1 fingerprint:
> 0c:99:2a:04:72:48:59:1a:3c:cf:ab:60:d0:2a:9e:73:73:42:f0:08
> (21:46:56) gnutls: Serial: 6d:ca:e4:9f:00:03:00:00:34:be
> (21:46:56) gnutls: Cert DN: C=US,ST=California,L=Mountain
> View,O=Google Inc.,CN=gmail.com
> (21:46:56) gnutls: Cert Issuer DN: C=US,O=Google Inc,CN=Google
> Internet Authority
> (21:46:56) gnutls: Lvl 1 SHA1 fingerprint:
> dd:7a:7f:13:1d:db:a3:3d:3e:86:70:17:94:83:e6:fe:a6:98:7d:6a
> (21:46:56) gnutls: Serial: 0b:67:71
> (21:46:56) gnutls: Cert DN: C=US,O=Google Inc,CN=Google Internet Authority
> (21:46:56) gnutls: Cert Issuer DN: C=US,O=Equifax,OU=Equifax Secure
> Certificate Authority
> (21:46:56) certificate/x509/tls_cached: Starting verify for gmail.com
> (21:46:56) certificate/x509/tls_cached: Checking for cached cert...
> (21:46:56) certificate/x509/tls_cached: ...Found cached cert
> (21:46:56) gnutls: Attempting to load X.509 certificate from
> /home/XXX/.purple/certificates/x509/tls_peers/gmail.com
> (21:46:56) certificate/x509/tls_cached: Peer cert matched cached
> (21:46:56) util: Writing file
> /home/XXX/.purple/certificates/x509/tls_peers/gmail.com
> (21:46:56) certificate: Successfully verified certificate for gmail.com
> (21:46:56) jabber: Sending (ssl) (XXX@gmail.com): <stream:stream
> to='gmail.com' xmlns='jabber:client'
> xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>
> (21:46:56) jabber: Recv (ssl)(138): <stream:stream from="gmail.com"
> id="6C45C0A9313259E1" version="1.0"
> xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client">
> (21:46:56) jabber: Recv (ssl)(197): <stream:features><mechanisms
>
xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>PLAIN</mechanism><mechanism>X-GOOGLE-TOKEN</mechanism><mechanism>X-OAUTH2</mechanism></mechanisms></stream:features>
> (21:46:56) sasl: sasl_state is -1, failing the mech and trying again
> (21:46:56) connection: Connection error on 0x1d44780 (reason: 3
> description: Server does not use any supported authentication method)
> (21:46:57) account: Disconnecting account XXX@gmail.com/ (0x1a3dbb0)
> (21:46:57) connection: Disconnecting connection 0x1d44780
> (21:46:57) jabber: Sending (ssl) (XXX@gmail.com): </stream:stream>
> (21:46:57) connection: Destroying connection 0x1d44780
>
> and USE flags:
> dev-libs/cyrus-sasl-2.1.25 berkdb gdbm java kerberos mysql pam
> postgres sqlite ssl -authdaemond -elibc_FreeBSD -ldapdb -openldap
> -sample -srp -static-libs -urandom
> net-im/pidgin-2.10.1 dbus debug doc gnutls gstreamer gtk idn ncurses
> nls perl python sasl spell tcl tk xscreensaver -eds -gadu -groupwise
> -meanwhile -networkmanager -prediction -silc -zephyr -zeroconf
> net-libs/gnutls-2.10.5 cxx doc lzo nls zlib -bindist -examples -guile
-test
>
> where exactly is the SSL problem?
>

It's not SSL problem, but SASL authentication failure.

Check the following, might help :

http://askubuntu.com/questions/88989/unable-to-connect-to-google-talk-using-pidgin-sasl-error

Rgds,

[-- Attachment #2: Type: text/html, Size: 7489 bytes --]

Re: [gentoo-user] pidgin, ssl, and xmpp

[Andrey Moshbear]

On Fri, Jan 6, 2012 at 23:04, Pandu Poluan <pandu@poluan.info> wrote:
>
> On Jan 7, 2012 9:59 AM, "Andrey Moshbear" <andrey.vul@gmail.com> wrote:
>>
[snip]
>>
>> where exactly is the SSL problem?
>>
>
> It's not SSL problem, but SASL authentication failure.
>
> Check the following, might help :
>
> http://askubuntu.com/questions/88989/unable-to-connect-to-google-talk-using-pidgin-sasl-error
>

Interesting how having

127.0.0.1 localhost
::1 localhost

instead of

127.0.0.1 localhost hostname
::1 localhost hostname

causes subtle issues.

And yes, that fixed it. Thanks for the link.

Re: [gentoo-user] pidgin, ssl, and xmpp

[Pandu Poluan]

[-- Attachment #1: Type: text/plain, Size: 902 bytes --]

On Jan 7, 2012 11:14 AM, "Andrey Moshbear" <andrey.vul@gmail.com> wrote:
>
> On Fri, Jan 6, 2012 at 23:04, Pandu Poluan <pandu@poluan.info> wrote:
> >
> > On Jan 7, 2012 9:59 AM, "Andrey Moshbear" <andrey.vul@gmail.com> wrote:
> >>
> [snip]
> >>
> >> where exactly is the SSL problem?
> >>
> >
> > It's not SSL problem, but SASL authentication failure.
> >
> > Check the following, might help :
> >
> >
http://askubuntu.com/questions/88989/unable-to-connect-to-google-talk-using-pidgin-sasl-error
> >
>
> Interesting how having
>
> 127.0.0.1 localhost
> ::1 localhost
>
> instead of
>
> 127.0.0.1 localhost hostname
> ::1 localhost hostname
>
> causes subtle issues.
>
> And yes, that fixed it. Thanks for the link.
>

I think the SASL handshake appended the hostname somewhere, and Google
rejected all auth attempts from "localhosh"

But that's just some speculation.

Anyways, glad it helped.

Rgds,

[-- Attachment #2: Type: text/html, Size: 1501 bytes --]