Ask / Submit
11

[bug] xmpp not working anymore

asked 2015-10-22 20:11:42 +0200

cy8aer gravatar image

updated 2015-10-22 22:02:09 +0200

With 2.0.0.10 my xmpp account is dead. I was not able to change the state to "available". Then I deleted the account and rebuild it. Now there is no entry anymore in "State":

No accounts with state information available.

Reboot did not change the state. How can I get the account back. Any debugging hints?

[Update] journalctl:

Okt 22 19:36:07 myphone dbus-daemon[938]: Activating service name='org.freedesktop.Telepathy.ConnectionManager.gabble'
Okt 22 19:36:07 myphone dbus-daemon[938]: Successfully activated service 'org.freedesktop.Telepathy.ConnectionManager.gabble'
Okt 22 19:36:08 myphone [1187]: [W] Tp::Debug::invokeDebugCallback:149 - tp-qt 0.9.4 WARN: Building connection "/org/freedesktop/Telepathy/Connection/gabble/jabber/user_40blablubb_2ede_2fJolla" failed with "org.freedesktop.Telepathy.Error.NetworkError" - "WOCKY_CONNECTOR_ERROR_TLS_SESSION_FAILED (#7): TLS handshake error: -106: GNUTLS_E_UNSUPPORTED_SIGNATURE_ALGORITHM"
Okt 22 19:36:08 myphone [1187]: [W] Tp::Debug::invokeDebugCallback:149 - tp-qt 0.9.4 WARN: StatefulDBusProxy::uniqueNameFrom(): Failed to get unique name of "org.freedesktop.Telepathy.Connection.gabble.jabber.user_40blablubb_2ede_2fJolla"
Okt 22 19:36:08 myphone [1187]: [W] Tp::Debug::invokeDebugCallback:149 - tp-qt 0.9.4 WARN:   error: "org.freedesktop.DBus.Error.NameHasNoOwner" message: "Could not get owner of name 'org.freedesktop.Telepathy.Connection.gabble.jabber.user_40blablubb_2ede_2fJolla': no such name"
Okt 22 19:36:08 myphone [1187]: [W] Tp::Debug::invokeDebugCallback:149 - tp-qt 0.9.4 WARN: Nested PendingReady for true failed with "org.freedesktop.DBus.Error.NameHasNoOwner" : "Could not get owner of name 'org.freedesktop.Telepathy.Connection.gabble.jabber.user_40blablubb_2ede_2fJolla': no such name"
Okt 22 19:36:08 myphone [1187]: [W] Tp::Debug::invokeDebugCallback:149 - tp-qt 0.9.4 WARN: Building connection "/org/freedesktop/Telepathy/Connection/gabble/jabber/user_40blablubb_2ede_2fJolla" failed with "org.freedesktop.DBus.Error.NameHasNoOwner" - "Could not get owner of name 'org.freedesktop.Telepathy.Connection.gabble.jabber.user_40blablubb_2ede_2fJolla': no such name"

The whole thing is against an prosody server with standard ssl settings. And there I cannot find reconnects anymore (TLS problems are before layer 4 upwards)

[Update] Server side. Prosody output when creating a new account:

Oct 22 19:52:17 c2sfd0300       info    Client connected
Oct 22 19:52:17 c2sfd0300       debug   Client sent opening <stream:stream> to blablubb.de
Oct 22 19:52:17 c2sfd0300       debug   Sent reply <stream:stream> to client
Oct 22 19:52:17 c2sfd0300       debug   Received[c2s_unauthed]: <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'>
Oct 22 19:52:17 socket  debug   try to start ssl at client id: fcf4a0
Oct 22 19:52:17 socket  debug   ssl session delayed until writebuffer is empty...
Oct 22 19:52:17 c2sfd0300       debug   TLS negotiation started for c2s_unauthed...
Oct 22 19:52:17 socket  debug   starting ssl handshake after writing
Oct 22 19:52:17 socket  debug   starting handshake...
Oct 22 19:52:17 socket  debug   ssl handshake of client with id:table: 0xfcf4a0, attempt:1
Oct 22 19:52:17 socket  debug   ssl handshake of client with id:table: 0xfcf4a0, attempt:2
Oct 22 19:52:17 socket  debug   ssl handshake of client with id:table: 0xfcf4a0, attempt:3
Oct 22 19:52:17 socket  debug   ssl handshake error: closed
Oct 22 19:52:17 socket  debug   closing client with id: fcf4a0 closed
Oct 22 19:52:17 c2sfd0300       info    Client disconnected: closed
Oct 22 19:52:17 c2sfd0300       debug   Destroying session for (unknown) ((unknown)@blablubb.de): closed
Oct 22 19:52:17 socket  debug   handshake failed because: closed

And this is a standard ssl jessie prosody with many clients. Cacert certificate. And it worked with cacert root certificates in ~/.config/telepathy/certs

Sniff:

you can see the following things in the handshaking:

  • TLSv1.2 Client Hello
  • TLSv1.2 Server Hello
  • TLSv1.2 Server sends certificate
  • boom client sends 3 ACKs and 1 RST ACK
edit retag flag offensive close delete

Comments

installed Xabber from f-droid. Works fine.

cy8aer ( 2015-10-22 22:02:54 +0200 )edit

mine is working just fine

virgi26 ( 2015-10-22 22:32:03 +0200 )edit
2

Same here. Can't login to jabber.ccc.de anymore.

hoschi ( 2015-10-22 23:07:04 +0200 )edit

looked at MER#1262 - Disabling SSLv3 - My server does TLSv1.2. MER#1094: disabling md5 - my certificate is signed SHA512

cy8aer ( 2015-10-22 23:13:37 +0200 )edit

I use this [https://openrepos.net/content/nodevel/facebook-messenger-account] and it works perfect

Xray2000 ( 2015-10-22 23:20:44 +0200 )edit

1 Answer

Sort by » oldest newest most voted
8

answered 2015-10-23 18:28:40 +0200

tigeli gravatar image

@cy8aer Thanks, I've already identified the root cause (strictly following RFC5246, the root ca which was used to sign the both your and jabber.ccc.de-certificates was signed with RSA-MD5 which is not enabled by default on GNUTLS -> not good).

So the fix for vulnerability GNUTLS-SA-2015-2 "broke" connections using TLSv1.2 having any certificate on the chain signed with RSA-MD5. (http://permalink.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/8132)

Good news: I do already have a patch for the issue so that the actual signature of certificate can use RSA-MD5 but RSA-MD5-pair can't be used in ServerKeyExchange- or ClientCertificateVerify-messages

@cy8aer I can provide a test package for you to test later today/tomorrow/Sunday/Monday.. ;)

edit flag offensive delete publish link more

Comments

For me too please :)

hoschi ( 2015-10-23 18:33:54 +0200 )edit
5

RSA-MD5 is a security flaw !!!! (MD5 is considered not secure anymore. i.e.: it should be possible for a 3rd party attacker to generate their own key and certificate that happen to match the MD5 of your certificate).

Even RSA-SHA1 starts to become not recommended given possibility of collision attacks.

Current recommendation is to use RSA-SHA256

DrYak ( 2015-10-23 20:59:36 +0200 )edit

@DrYak the main problem is multi signing. There are CAs who sign with more than one method. Another problem occurs when the CAs theirself do have multi signing paths with sha1 and md5 sigining in. Because CAs are not able to discard single paths (maybe because of 30 or more years durability. I found the first websites which are refused by modern browsers (unfortunately only by modern browsers)

@tigeli Thank you, I try the new package.

cy8aer ( 2015-10-23 22:20:12 +0200 )edit

@tigeli it works. After creating a new account it is instantly online. Thank you for your effort. @hoschi: what about you and jabber.ccc.de? Warning: do not install it via USB debugging and ssh. Do it directly in the terminal...

cy8aer ( 2015-10-23 22:28:33 +0200 )edit
Login/Signup to Answer

Question tools

Follow
6 followers

Stats

Asked: 2015-10-22 20:11:42 +0200

Seen: 826 times

Last updated: Oct 23 '15