Author Topic: Jabber SSL problem with jabber.ccc.de (Read 14684 times)

Chol · « **on:** 09 11 2015, 17:31:11 »

Since the nightly I got at November 2nd, I cannot connect to Jabber any more, getting a SSL connection failure. I suspect it is related to http://forum.miranda-ng.org/index.php?topic=4352.0, so I wrote the author a private message, but did not get a response.

Here is the private message with the problem description:

Quote from: Chol on 02 11 2015, 18:05:15

Hi,

since todays update to the current nightly I cannot login to Jabber any more. I do not know if the server did change anything, but since your patch was integrated recently I am curious if this is the cause. Here is my log:

Code: [Select]
[18:40:35 15A0] [JABBER] SetAwayMsg called, wParam=40073 lParam=Away [18:40:35 15A0] [JABBER] PS_SETSTATUS(40073) [18:40:35 1114] [JABBER] Thread started: type=0 [18:40:35 15A0] KeepStatus: assigning status 40073 to Facebook_1 [18:40:35 15A0] KeepStatus: assigning status 40073 to ICQ [18:40:35 15A0] KeepStatus: assigning status 40073 to JABBER [18:40:35 1114] [JABBER] _xmpp-client._tcp.jabber.ccc.de resolved to jabberd.jabber.ccc.de:5222 [18:40:35 1114] [JABBER] Connection request to jabberd.jabber.ccc.de:5222 (Flags 0).... [18:40:35 1114] [JABBER] (000000000E99C7C8) Connecting to server jabberd.jabber.ccc.de:5222.... [18:40:35 1114] [JABBER] (000000000E99C7C8) Connecting to ip [2a02:1b8:10:31::229]:5222 .... [18:40:35 1114] [JABBER] (1244) Connected to jabberd.jabber.ccc.de:5222 [18:40:35 1114] [JABBER] Thread type=0 server='jabberd.jabber.ccc.de' port='5222' [18:40:35 1114] [JABBER] Stream is initializing after connect [18:40:35 1114] [JABBER] (000000000E99C7C8:1244) Data sent <?xml version="1.0" encoding="UTF-8"?><stream:stream xmlns="jabber:client" to="jabber.ccc.de" xmlns:stream="http://etherx.jabber.org/streams" xml:lang="en" version="1.0"> [18:40:35 1114] [JABBER] Entering main recv loop [18:40:35 1114] [JABBER] (000000000E99C7C8:1244) Data received <?xml version='1.0'?><stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' id='484583808' from='jabber.ccc.de' version='1.0' xml:lang='en'> [18:40:35 1114] [JABBER] recvResult = 170 [18:40:35 1114] [JABBER] bytesParsed = 170 [18:40:35 1114] [JABBER] (000000000E99C7C8:1244) Data received <stream:features><c xmlns='http://jabber.org/protocol/caps' hash='sha-1' node='http://www.process-one.net/en/ejabberd/' ver='bYQ/IFfK87W+0ywEpUSFD2VIpW0='/><starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'><required/></starttls></stream:features> [18:40:35 1114] [JABBER] recvResult = 246 [18:40:35 1114] [JABBER] bytesParsed = 246 [18:40:35 1114] [JABBER] Requesting TLS [18:40:35 1114] [JABBER] (000000000E99C7C8:1244) Data sent <starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/> [18:40:35 1114] [JABBER] (000000000E99C7C8:1244) Data received <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/> [18:40:35 1114] [JABBER] recvResult = 50 [18:40:35 1114] [JABBER] bytesParsed = 50 [18:40:35 1114] [JABBER] Starting TLS... [18:40:35 1114] [JABBER] (1244 jabber.ccc.de) Starting SSL negotiation [18:40:35 1114] SSL connection failure (80090308 381): Client cannot decode host message. Possible causes: host does not support SSL or requires not existing security package [18:40:35 1114] [JABBER] (1244 jabber.ccc.de) Failure to negotiate SSL connection [18:40:35 1114] [JABBER] SSL initialization failed [18:40:35 1114] [JABBER] (000000000E99C7C8:1244) Data sent </stream:stream> [18:40:35 1114] [JABBER] Netlib_Recv() failed, error=10058 [18:40:35 1114] [JABBER] recvResult = 0 [18:40:35 1114] [JABBER] 1 [18:40:35 1114] [JABBER] 2 [18:40:35 1114] [JABBER] Thread ended: type=0 server='jabber.ccc.de' [18:40:35 1114] [JABBER] (000000000E99C7C8:1244) Connection closed internal [18:40:35 1114] [JABBER] (000000000E99C7C8:4294967295) Connection closed [18:40:35 1114] [JABBER] Exiting ServerThread
Do you have any ideas? Other clients like Empathy work without problems.

Greetings
Chol

The suspected change is http://trac.miranda-ng.org/ticket/1080. As the server I use is a public one (jabber.ccc.de), it should be easy to reproduce.

Wishmaster · « **Reply #1 on:** 09 11 2015, 17:44:30 »

It is most likely because they do not support TLS 1.1 or 1.2 correctly, but they advise to do so.
With that change you mentioned, support for TLS 1.1 and 1.2 was added, so it may cause a failure if that host doesn't support it properly.
And no, I couldn't reproduce it, I have had no problems over the weekend.
Funny, I cannot even open http://www.jabber.ccc.de

watcher · « **Reply #2 on:** 09 11 2015, 19:05:02 »

Chol, what OS version do you use?

ghazan · « **Reply #3 on:** 09 11 2015, 19:07:04 »

Chol, perhaps you're using Windows XP, and that server just dropped SSL3 support, as prescribed by the XMPP committee.
in this case you need to install OpenSSL plugin for Miranda, because XP doesn't support SSL 3.2/TLS 1.2, and never will

unitwobble · « **Reply #4 on:** 10 11 2015, 01:21:38 »

If you're using Windows XP you need to get OpenSSL from https://indy.fulgan.com/SSL/ (It is listed on OpenSSL Binaries page so it's trustable). Shining Light Productions compiles with VS2013 that work only on Vista onwards. I don't have edit access on Miranda wiki so I hope someone can update the link on the OpenSSL page.

This probably needs to go on a footnote somewhere since there are many 2K/XP users.

Also if you use Facebook or WebSkype plugin, chance of 100% CPU usage problem with OpenSSL plugin.

Wishmaster · « **Reply #5 on:** 10 11 2015, 07:57:47 »

Chol: Can you try with the stable build, to test if it is really related to that commit?

Wishmaster · « **Reply #6 on:** 10 11 2015, 16:02:05 »

Quote from: unitwobble on 10 11 2015, 01:21:38

If you're using Windows XP you need to get OpenSSL from https://indy.fulgan.com/SSL/ (It is listed on OpenSSL Binaries page so it's trustable). Shining Light Productions compiles with VS2013 that work only on Vista onwards. I don't have edit access on Miranda wiki so I hope someone can update the link on the OpenSSL page. This probably needs to go on a footnote somewhere since there are many 2K/XP users.

Do you have any source for that information? I do not see fulgan.com listed anywhere on openssl.org

Chol · « **Reply #7 on:** 10 11 2015, 21:47:27 »

I am using Windows 7 x64 SP1 with Miranda NG 64 bit nightly.
Just tested the current stable version (v0.95.4 build #13028 x64) which works without problems. Connection successful.

I also re-downloaded the current development version (v0.95.5 alpha build #15706 x64) to be sure my local files were not corrupted. Does not work.

According to their Twitter feed they are at least using ejabberd 15.06 and are also trying to implement necessary security features: https://twitter.com/jabbercccde

Wishmaster · « **Reply #8 on:** 11 11 2015, 12:58:00 »

Well, maybe they use a security package that doesn't exist on Windows 7. Did you try using OpenSSL plugin, as mentioned above?

Chol · « **Reply #9 on:** 11 11 2015, 17:25:01 »

After installing the OpenSSL plugin it works again. Thank you!

Is it possible to auto-enable this plugin for Win7 users or to modify the warning to give the user a hint to enable the plugin?

I also tried to connect using Win10. There it works out of the box without the OpenSSL plugin.

The servers used protocols are listed here: https://xmpp.net/result.php?domain=jabber.ccc.de&type=client. Grade A does not sound too bad.

ghazan · « **Reply #10 on:** 11 11 2015, 18:17:51 »

Chol, have you installed SP1 + all postfixes on your Win7?

Chol · « **Reply #11 on:** 11 11 2015, 18:30:49 »

Yes, my installation is up2date.

Wishmaster · « **Reply #12 on:** 12 11 2015, 11:29:14 »

Chol: There is a certiflicate error here (certiflicate error in the file), could you ask their staff to fix it?

unitwobble: You're wrong, it works with Windows XP. I edited that site nonetheless.

Chol · « **Reply #13 on:** 12 11 2015, 17:45:41 »

Which error do you mean? I can only see a warning "The certificate is not trusted in all web browsers.". This is due to their use of CAcert as CA, for which you have to install the root certificate manually for making it work in web browsers. Does this affect non web browser applications like Jabber at all? Nevertheless I have installed the CAcert root certificate on my Win7 machine. As opposed to my Win10 machine, where Miranda works without OpenSSL.

Wishmaster · « **Reply #14 on:** 12 11 2015, 17:54:23 »

Quote from: Chol on 12 11 2015, 17:45:41

Which error do you mean? I can only see a warning "The certificate is not trusted in all web browsers.". This is due to their use of CAcert as CA, for which you have to install the root certificate manually for making it work in web browsers. Does this affect non web browser applications like Jabber at all? Nevertheless I have installed the CAcert root certificate on my Win7 machine. As opposed to my Win10 machine, where Miranda works without OpenSSL.

Well, there is thaat red arrow at the bottom, that means the certiflicate order is incorrect.

And yes, there is an option in Miranda to validate SSL-certiflicates.