Miranda NG Official Community Forum
Forum for English speaking Miranda NG users => Bug reports => Topic started by: Chol on 09 11 2015, 17:31:11
-
Since the nightly I got at November 2nd, I cannot connect to Jabber any more, getting a SSL connection failure. I suspect it is related to http://forum.miranda-ng.org/index.php?topic=4352.0 (http://forum.miranda-ng.org/index.php?topic=4352.0), so I wrote the author a private message, but did not get a response. :(
Here is the private message with the problem description:
Hi,
since todays update to the current nightly I cannot login to Jabber any more. I do not know if the server did change anything, but since your patch was integrated recently I am curious if this is the cause. Here is my log:
[18:40:35 15A0] [JABBER] SetAwayMsg called, wParam=40073 lParam=Away
[18:40:35 15A0] [JABBER] PS_SETSTATUS(40073)
[18:40:35 1114] [JABBER] Thread started: type=0
[18:40:35 15A0] KeepStatus: assigning status 40073 to Facebook_1
[18:40:35 15A0] KeepStatus: assigning status 40073 to ICQ
[18:40:35 15A0] KeepStatus: assigning status 40073 to JABBER
[18:40:35 1114] [JABBER] _xmpp-client._tcp.jabber.ccc.de resolved to jabberd.jabber.ccc.de:5222
[18:40:35 1114] [JABBER] Connection request to jabberd.jabber.ccc.de:5222 (Flags 0)....
[18:40:35 1114] [JABBER] (000000000E99C7C8) Connecting to server jabberd.jabber.ccc.de:5222....
[18:40:35 1114] [JABBER] (000000000E99C7C8) Connecting to ip [2a02:1b8:10:31::229]:5222 ....
[18:40:35 1114] [JABBER] (1244) Connected to jabberd.jabber.ccc.de:5222
[18:40:35 1114] [JABBER] Thread type=0 server='jabberd.jabber.ccc.de' port='5222'
[18:40:35 1114] [JABBER] Stream is initializing after connect
[18:40:35 1114] [JABBER] (000000000E99C7C8:1244) Data sent
<?xml version="1.0" encoding="UTF-8"?><stream:stream xmlns="jabber:client" to="jabber.ccc.de" xmlns:stream="http://etherx.jabber.org/streams" xml:lang="en" version="1.0">
[18:40:35 1114] [JABBER] Entering main recv loop
[18:40:35 1114] [JABBER] (000000000E99C7C8:1244) Data received
<?xml version='1.0'?><stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' id='484583808' from='jabber.ccc.de' version='1.0' xml:lang='en'>
[18:40:35 1114] [JABBER] recvResult = 170
[18:40:35 1114] [JABBER] bytesParsed = 170
[18:40:35 1114] [JABBER] (000000000E99C7C8:1244) Data received
<stream:features><c xmlns='http://jabber.org/protocol/caps' hash='sha-1' node='http://www.process-one.net/en/ejabberd/' ver='bYQ/IFfK87W+0ywEpUSFD2VIpW0='/><starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'><required/></starttls></stream:features>
[18:40:35 1114] [JABBER] recvResult = 246
[18:40:35 1114] [JABBER] bytesParsed = 246
[18:40:35 1114] [JABBER] Requesting TLS
[18:40:35 1114] [JABBER] (000000000E99C7C8:1244) Data sent
<starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
[18:40:35 1114] [JABBER] (000000000E99C7C8:1244) Data received
<proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
[18:40:35 1114] [JABBER] recvResult = 50
[18:40:35 1114] [JABBER] bytesParsed = 50
[18:40:35 1114] [JABBER] Starting TLS...
[18:40:35 1114] [JABBER] (1244 jabber.ccc.de) Starting SSL negotiation
[18:40:35 1114] SSL connection failure (80090308 381): Client cannot decode host message. Possible causes: host does not support SSL or requires not existing security package
[18:40:35 1114] [JABBER] (1244 jabber.ccc.de) Failure to negotiate SSL connection
[18:40:35 1114] [JABBER] SSL initialization failed
[18:40:35 1114] [JABBER] (000000000E99C7C8:1244) Data sent
</stream:stream>
[18:40:35 1114] [JABBER] Netlib_Recv() failed, error=10058
[18:40:35 1114] [JABBER] recvResult = 0
[18:40:35 1114] [JABBER] 1
[18:40:35 1114] [JABBER] 2
[18:40:35 1114] [JABBER] Thread ended: type=0 server='jabber.ccc.de'
[18:40:35 1114] [JABBER] (000000000E99C7C8:1244) Connection closed internal
[18:40:35 1114] [JABBER] (000000000E99C7C8:4294967295) Connection closed
[18:40:35 1114] [JABBER] Exiting ServerThread
Do you have any ideas? Other clients like Empathy work without problems.
Greetings
Chol
The suspected change is http://trac.miranda-ng.org/ticket/1080 (http://trac.miranda-ng.org/ticket/1080). As the server I use is a public one (jabber.ccc.de), it should be easy to reproduce.
-
It is most likely because they do not support TLS 1.1 or 1.2 correctly, but they advise to do so.
With that change you mentioned, support for TLS 1.1 and 1.2 was added, so it may cause a failure if that host doesn't support it properly.
And no, I couldn't reproduce it, I have had no problems over the weekend.
Funny, I cannot even open http://www.jabber.ccc.de
-
Chol, what OS version do you use?
-
Chol, perhaps you're using Windows XP, and that server just dropped SSL3 support, as prescribed by the XMPP committee.
in this case you need to install OpenSSL plugin for Miranda, because XP doesn't support SSL 3.2/TLS 1.2, and never will
-
If you're using Windows XP you need to get OpenSSL from https://indy.fulgan.com/SSL/ (It is listed on OpenSSL Binaries page so it's trustable). Shining Light Productions compiles with VS2013 that work only on Vista onwards. I don't have edit access on Miranda wiki so I hope someone can update the link on the OpenSSL page.
This probably needs to go on a footnote somewhere since there are many 2K/XP users.
Also if you use Facebook or WebSkype plugin, chance of 100% CPU usage problem with OpenSSL plugin.
-
Chol: Can you try with the stable build, to test if it is really related to that commit?
-
If you're using Windows XP you need to get OpenSSL from https://indy.fulgan.com/SSL/ (It is listed on OpenSSL Binaries page so it's trustable). Shining Light Productions compiles with VS2013 that work only on Vista onwards. I don't have edit access on Miranda wiki so I hope someone can update the link on the OpenSSL page. This probably needs to go on a footnote somewhere since there are many 2K/XP users.
Do you have any source for that information? I do not see fulgan.com listed anywhere on openssl.org
-
I am using Windows 7 x64 SP1 with Miranda NG 64 bit nightly.
Just tested the current stable version (v0.95.4 build #13028 x64) which works without problems. Connection successful.
I also re-downloaded the current development version (v0.95.5 alpha build #15706 x64) to be sure my local files were not corrupted. Does not work.
According to their Twitter feed they are at least using ejabberd 15.06 and are also trying to implement necessary security features: https://twitter.com/jabbercccde (https://twitter.com/jabbercccde)
-
Well, maybe they use a security package that doesn't exist on Windows 7. Did you try using OpenSSL plugin, as mentioned above?
-
After installing the OpenSSL plugin it works again. Thank you! :)
Is it possible to auto-enable this plugin for Win7 users or to modify the warning to give the user a hint to enable the plugin?
I also tried to connect using Win10. There it works out of the box without the OpenSSL plugin.
The servers used protocols are listed here: https://xmpp.net/result.php?domain=jabber.ccc.de&type=client (https://xmpp.net/result.php?domain=jabber.ccc.de&type=client). Grade A does not sound too bad. ;)
-
Chol, have you installed SP1 + all postfixes on your Win7?
-
Yes, my installation is up2date.
-
Chol: There is a certiflicate error here (https://www.sslshopper.com/ssl-checker.html#hostname=jabber.ccc.de) (certiflicate error in the file), could you ask their staff to fix it?
unitwobble: You're wrong, it works with Windows XP. I edited that site nonetheless.
-
Which error do you mean? I can only see a warning "The certificate is not trusted in all web browsers.". This is due to their use of CAcert as CA, for which you have to install the root certificate manually for making it work in web browsers. Does this affect non web browser applications like Jabber at all? Nevertheless I have installed the CAcert root certificate on my Win7 machine. As opposed to my Win10 machine, where Miranda works without OpenSSL.
-
Which error do you mean? I can only see a warning "The certificate is not trusted in all web browsers.". This is due to their use of CAcert as CA, for which you have to install the root certificate manually for making it work in web browsers. Does this affect non web browser applications like Jabber at all? Nevertheless I have installed the CAcert root certificate on my Win7 machine. As opposed to my Win10 machine, where Miranda works without OpenSSL.
Well, there is thaat red arrow at the bottom, that means the certiflicate order is incorrect.
And yes, there is an option in Miranda to validate SSL-certiflicates.
-
According to http://blog.edgecloud.com/post/19519955133/ssl-certificate-chain-order-matters (http://blog.edgecloud.com/post/19519955133/ssl-certificate-chain-order-matters) the own (= jabber server) certificate should be the first one, followed by its signer.
If I check the chain of my server:
$ openssl s_client -connect jabber.ccc.de:5222 </dev/null -starttls xmpp
---
Certificate chain
0 s:/C=DE/ST=Hamburg/L=Hamburg/O=Chaos Computer Club e.V./CN=jabber.ccc.de
i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
1 s:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
i:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
---
Everything looks correct to me. First one with id 0 is the jabber server certificate, second with id 1 is the signer (= root ca).
-
no, intermediate certificate must go first (either it's missing)
that's what sslshopper says
at least you will get this error until sslshopper won't go green
-
There is no intermediate certificate required, as the server certificate is direcly signed by the root CA. For example https://www.sslshopper.com/ssl-checker.html#hostname=verisign.org (https://www.sslshopper.com/ssl-checker.html#hostname=verisign.org) does the same.
I think the red arrow for jabber.ccc.de only indicates that the CAcert root certificate is not contained in standard web browsers / operating systems.
Pidgin for example seems to package some root certificates with their app for that reason: https://hg.pidgin.im/pidgin/main/file/b788e0305cc0/share/ca-certs (https://hg.pidgin.im/pidgin/main/file/b788e0305cc0/share/ca-certs)
-
Chol,
have you tried to update root certificates on your machine?
-
First I opened certmgr.msc and compared my installed CAcert root certificate with the certificate from the server response. They match.
Then I deleted the CAcert root certificate and also the OpenSSL.dll from Miranda plugins. Same error as initially. Then I re-added OpenSSL.dll (CAcert root certificate still missing) and Miranda works. So the installed certificates do not seem to matter.
-
under Windows 8 & 10 Miranda works ok with this site without any problems
so the problem is evidently in the old SSL provider in Windows 7
and I don't know what precisely is the problem, I only know that sites marked as red at sslshopper usually cause problems with the old SSL libraries
-
Do you have any source for that information? I do not see fulgan.com listed anywhere on openssl.org
Page used to be at : https://www.openssl.org/community/binaries.html (Google cache still holds old page)
Now it is : https://wiki.openssl.org/index.php/Binaries
-
Do you perhaps have SSL2 enabled in Internet Explorer settings? (Just a wild shot.)
-
No, SSL2 and SSL3 are not checked.
By the way, since I enabled the OpenSSL plugin, Jabber works fine but Facebook does not work any more. It stalls in "Connecting" state. So I either can use Jabber or Facebook, but not both at the same time. :(
Here is my Facebook log with OpenSSL enabled:
[12:00:34 185C] [Facebook_1] *** GetMyAvatar
[12:00:34 185C] [Facebook_1] === Beginning SetStatus process
[12:00:34 1934] [Facebook_1] [14.11.2015] Using Facebook Protocol RM 0.2.11.4
[12:00:34 1934] [Facebook_1] *** Beginning SignOn process
[12:00:34 1934] [Facebook_1] *** Negotiating connection with Facebook
[12:00:34 1934] [Facebook_1] >> Entering login()
[12:00:34 1934] [Facebook_1] @@@ Sending request to 'https://mbasic.facebook.com/profile.php?v=info'
[12:00:34 1934] [Facebook_1] Connection request to mbasic.facebook.com:443 (Flags 11)....
[12:00:35 1934] [Facebook_1] (000000000E970CC8) Connecting to server mbasic.facebook.com:443....
[12:00:35 1934] [Facebook_1] (000000000E970CC8) Connecting to ip [2a03:2880:f01c:20e:face:b00c:0:2]:443 ....
[12:00:35 1934] [Facebook_1] (972) Connected to mbasic.facebook.com:443
[12:00:35 1934] [Facebook_1] (972 mbasic.facebook.com) Starting SSL negotiation
[12:00:42 1934] [Facebook_1] (972 mbasic.facebook.com) SSL negotiation successful
[12:00:42 1934] [Facebook_1] @@@ Got response with code 302
[12:00:42 1934] [Facebook_1] @@@ Sending request to 'https://login.facebook.com/login.php?login_attempt=1'
[12:00:42 1934] [Facebook_1] Connection request to login.facebook.com:443 (Flags 11)....
[12:00:42 1934] [Facebook_1] (000000000E9CCC88) Connecting to server login.facebook.com:443....
[12:00:42 1934] [Facebook_1] (000000000E9CCC88) Connecting to ip [2a03:2880:f01c:20e:face:b00c:0:2]:443 ....
[12:00:42 1934] [Facebook_1] (828) Connected to login.facebook.com:443
[12:00:42 1934] [Facebook_1] (828 login.facebook.com) Starting SSL negotiation
[12:00:46 1934] [Facebook_1] (828 login.facebook.com) SSL negotiation successful
[12:00:46 1934] [Facebook_1] (000000000E9CCC88:828) Connection closed internal
[12:00:46 1934] [Facebook_1] (000000000E9CCC88:4294967295) Connection closed
[12:00:46 1934] [Facebook_1] @@@ Got response with code 302
[12:00:46 1934] [Facebook_1] Got self user id: 123456789
[12:00:46 1934] [Facebook_1] << Quitting login()
[12:00:46 1934] [Facebook_1] >> Entering home()
[12:00:46 1934] [Facebook_1] @@@ Sending request to 'https://mbasic.facebook.com/editprofile.php?edit=current_city&type=basic'
[12:00:47 1934] [Facebook_1] @@@ Got response with code 200
[12:00:47 1934] [Facebook_1] Got self dtsg
[12:00:47 1934] [Facebook_1] @@@ Sending request to 'https://mbasic.facebook.com/profile.php?v=info'
-
I have the same problem on Win7-x86 (thanks for the workaround with OpenSSL plugin).
Just posting in case i can be of any help. I'm not using facebook plugin though.
-
No, SSL2 and SSL3 are not checked.
Can you please try enabling SSL3 ?
-
Can you please try enabling SSL3 ?
The server does not support SSLv3, so that would lead to nothing.