net:jabber and "digest-uri seems invalid" / authentication problem

I'm trying to use the perl module net::jabber to talk to ejabberd. I've turned up the logging on ejabberd to debug level and when my perl script tries to auth, I see the following in the log. Specifically, it appears the issue is:

D(<0.780.0>:cyrsasl_digest:50) : User login not authorized because digest-uri seems invalid: "/"

Anyone have an idea what this means-- is it an issue with the net:jabber code/installation or ejabberd? Thoughts on fixes or work arounds?

Thanks

----

=INFO REPORT==== 2009-06-15 21:31:12 ===
D(<0.779.0>:ejabberd_receiver:306) : Received XML on stream = "YXV0aHppZD0iYmZjLXRvb2xAZW5ndG9
vbHMwMyIsY2hhcnNldD11dGYtOCxjbm9uY2U9ImZmYTdhZWViZWRjNTI4ZTg5M2Y5NGI2MmR
kMzExNmI5IixkaWdlc3QtdXJpPSIvIixuYz0wMDAwMDAwMSxub25jZT0iNDY1MjgwMjYwIix
xb3A9YXV0aCxyZXNwb25zZT04NTQ1MTJjOTY0NzY4OTA5Y2M5NWJiNWQxYWU5NTBjZCx1c2V
ybmFtZT0iYmZjLXRvb2wi"

=INFO REPORT==== 2009-06-15 21:31:12 ===
D(<0.779.0>:shaper:61) : State: {maxrate,1000,981.3917919959215,
1245101472129865}, Size=330
M=323.9714714714715, I=0.335

=INFO REPORT==== 2009-06-15 21:31:12 ===
D(<0.780.0>:cyrsasl_digest:50) : User login not authorized because
digest-uri seems invalid: "/"

=INFO REPORT==== 2009-06-15 21:31:12 ===
I(<0.780.0>:ejabberd_c2s:709) :
({socket_state,gen_tcp,#Port<0.463>,<0.779.0>}) Failed authentication
for abc@xyz

If client uses SASL Digest, must provide proper digest-uri

ejabberd 2.0.3 and higher implements digest-uri verification, as recommended by XMPP-Core, see EJAB-569.

This means that the XMPP/Jabber server of domain example.com (in this case ejabberd) expects that a client that is authenticating using SASL Digest will provide something like:

digest-uri="xmpp/example.com"

But it seems your client sends this:

digest-uri="/"

You have several solutions:

  • Improve your XMPP client library to provide a proper digest-uri in the SASL Digest.
  • Change your client or library to not use SASL Digest.
  • Change ejabberd to not verify digest-uri.
  • Use an older version of ejabberd that didn't yet implement this verification.

> # Change ejabberd to not

> # Change ejabberd to not verify digest-uri.

Could you explain, how i do this?
I've the same Problem

Fix the XMPP client. Temporary workaround.

You will prefer to fix your XMPP client library. In any case, you can apply this temporary workaround:

--- cyrsasl_digest.erl
+++ cyrsasl_digest.erl
@@ -65,11 +65,7 @@ mech_step(#state{step = 3, nonce = Nonce} = State, ClientIn) ->
            DigestURI = xml:get_attr_s("digest-uri", KeyVals),
            UserName = xml:get_attr_s("username", KeyVals),
            case is_digesturi_valid(DigestURI, State#state.host) of
-               false ->
-                   ?DEBUG("User login not authorized because digest-uri "
-                          "seems invalid: ~p", [DigestURI]),
-                   {error, "not-authorized", UserName};
-               true ->
+               _ ->
                    AuthzId = xml:get_attr_s("authzid", KeyVals),
                    case (State#state.get_password)(UserName) of
                        {false, _} ->

In my case, I was able to

In my case, I was able to find a google page (translated) which pointed to a perl xmpp client library problem.

http://translate.google.com/translate?hl=en&sl=pl&u=http://forum.pld-lin...
l%26hs%3Driy

I made the code change to the stream.pm module (as suggested) and it fixed my problem. Note that the translation gets confused on the perl curly braces and paranthesis, so you'll need to tweak what's shown in the translation when you patch the stream.pm code.

I think I had seen another post where they had said they had the same issue and retrying on a clean perl build worked-- maybe there's an official update to stream.pm that fixes this issue...

Fix

The code above is part of the fix. But it still breaks if you are using srv records to point to a different host.
I have fixed it on my system - I still need to double check what I had to change, but I will post the changes needed to get things working smoothly.

Install all the needed modules from cpan. In my case I'm using Net::Jabber::Bot.
Also, install Net::DNS::Resolver if you are using srv records.

----------------------------------
In Net/XMPP/Connection.pm around line 135, underneath "delete($self->{SESSION});" add:

        #HACK - makes sure componentname is defined
        if (!defined($self->{SERVER}->{componentname})) {
                $self->{SERVER}->{componentname} = $self->{SERVER}->{hostname};
        }

A few lines below that, in the Connect statement, under the ssl line, before the "(defined($self->{SERVER}->{componentname}", add:

                    #HACK - allow defining srv to use srv records (you'll usually want to set this to "_xmpp-client._tcp"
                    (defined($self->{SERVER}->{srv}) ?
                     (srv => $self->{SERVER}->{srv}) :
                     ()
                    ),

-----------------------------------

In XML/Stream.pm, around line 2123, change:
"$self->{SIDS}->{$sid}->{sasl}->{client} = $sasl->client_new();"
to

$self->{SIDS}->{$sid}->{sasl}->{client} = $sasl->client_new('xmpp',$self->{SIDS}->{$sid}->{to});

I'm not sure if this is needed on all systems, but I had problems with "Undefined subroutine &Net::DNS::Resolver", this fixes that. At line 284, underneath "import Net::DNS;" add:

use Net::DNS;

----------------------------------------------------------------------------------

When using Net:Jabber::Client Connect, be sure to specify in the connect parameters:

srv=>"_xmpp_client._tcp"

If you want to use srv records to find the correct jabber host.
-------------------------------

I hope someone else finds this helpful. I've spent the better part of two days trying to figure it out! If anyone knows how to get these changes added to the (apparently abandoned) Net::XMPP modules on cpan, please go ahead and do so. Otherwise, at least the next person who searches for this should find this post.

Syndicate content