Attached. Line to focus on: 15:35:58: <ESPurpleJabberAccount:385a9c0 2>:[email protected]: Disconnected ("SASL authentication failed"): Automatically reconnecting in 5.000000 seconds (0 attempts performed)
On 5/3/10 3:03 PM, "Evan Schoenberg, M.D." <[email protected]> wrote: > > On May 3, 2010, at 3:49 PM, Joe Hildebrand wrote: > >> This *almost* works. The error is now correct, but we shouldn't >> auto-reconnect if the password was bad. > > I agree; however, code is already in place which should be handling that. > Please post debug logging of sending an incorrect password and not getting > prompted to enter a correct one. > > -Evan > >> >> >> On 5/3/10 2:30 PM, "Evan Schoenberg, M.D." <[email protected]> wrote: >> >>> >>> On May 3, 2010, at 11:42 AM, David Smith wrote: >>> >>>> I'd be happy to check if I can still connect to iChat Server if someone >>>> gives >>>> me a patched Adium. >>> >>> >>> I should have checked the code instead of the ticket; I left later-me some >>> good details there. >>> jabber_auth_start_cyrus() for us includes: >>> { >>> /* We have no mechs which can work. >>> * Try falling back on the old jabber:iq:auth method. We get here if the >>> server >>> supports >>> * one or more sasl mechs, we are compiled with cyrus-sasl support, but we >>> support or can connect with none of >>> * the offerred mechs. jabberd 2.0 w/ SASL and Apple's iChat Server 10.5 both >>> handle and expect >>> * jabber:iq:auth in this situation. iChat Server in particular offers SASL >>> GSSAPI by default, which is often >>> * not configured on the client side, and expects a fallback to >>> jabber:iq:auth >>> when it (predictably) fails. >>> * >>> * Note: xep-0078 points out that using jabber:iq:auth after a sasl failure >>> is >>> wrong. However, >>> * I believe this refers to actual authentication failure, not a simple lack >>> of >>> concordant mechanisms. >>> * Doing otherwise means that simply compiling with SASL support renders the >>> client unable to connect to servers >>> * which would connect without issue otherwise. -evands >>> */ >>> js->auth_mech = NULL; >>> jabber_auth_start_old(js); >>> return JABBER_SASL_STATE_CONTINUE; >>> } >>> >>> >>> However, elsewhere in auth_cyrus, jabber_cyrus_handle_failure() has what >>> appears to be better logic: >>> >>> if (tried_gssapi_first) { >>> /* If we tried GSSAPI first, it failed, and it was our only shot, try >>> jabber:iq:auth >>> * for compatibility with iChat 10.5 Server. >>> * >>> * iChat Server 10.5 offers SASL GSSAPI by default, which is often >>> * not configured on the client side, and expects a fallback to >>> jabber:iq:auth >>> when it (predictably) fails. >>> * >>> * Note: xep-0078 points out that using jabber:iq:auth after a sasl failure >>> is >>> wrong. However, >>> * I believe this refers to actual authentication failure, not a simple lack >>> of >>> concordant mechanisms. >>> * Doing otherwise means that simply compiling with SASL support renders the >>> client unable to connect to servers >>> * which would connect without issue otherwise. -evands >>> */ >>> sasl_dispose(&js->sasl); >>> js->sasl = NULL; >>> js->auth_mech = NULL; >>> jabber_auth_start_old(js); >>> return JABBER_SASL_STATE_CONTINUE; >>> } >>> >>> (comments expanded just-now by me). >>> In im.pigin.adium.1-4's 2fcd834324b05d3becf6878db8ce1c474578e720 I have >>> removed the former, aggressive behavior and left the latter. I think this >>> should solve the problem presented while maintaining the workaround for >>> iChat >>> Server 10.5's apparent wrongness. >>> >>> >>> This is committed in adium-1.4's [6534647aece5289a0e5ac90c012bcbf75e3918f3]. >>> >>> A build for testing is uploaded at >>> http://adiumx.cachefly.net/Adium_1.4b18-noJabberHack.dmg >>> >>> The downgrade attack Joe mentions does still exist, but now if and only if >>> ((GSSAPI is the only offered SASL mech) && (GSSAPI fails)). Further >>> improvement would be a prompt as described in that setting; patches welcome. >>> >>> Look forward to any feedback. >>> >>> -Evan >> >> -- >> Joe Hildebrand >> >> > > -- Joe Hildebrand
recon.log
Description: Binary data
