Opened 11 years ago

Closed 10 years ago

#6394 closed defect (fixed)

Pidgin cannot connect to jabberd 2.2.0/2.2.1

Reported by: adrian13 Owned by: deryni
Milestone: Component: XMPP
Version: 2.4.3 Keywords:
Cc: jsambrook, neuro

Description (last modified by datallah)

With pidgin I cannot connect to a jabberd 2.2.0 or 2.2.1. PSI just works. On the server I get following error:

sx (io.c:212) passed 126 read bytes
sx (chain.c:93) calling io read chain
sx (ssl.c:380) in _sx_ssl_rio
sx (ssl.c:384) loading 126 bytes into ssl read buffer
sx (ssl.c:462) openssl error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
sx (ssl.c:466) tag 27 event 8 data 0xbfde9100
Mon Jul 21 09:59:00 2008 [notice] [27] [127.0.0.1, port=42349] error: SSL handshake error (error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number)
sx (error.c:79) prepared error: <stream:stream xmlns:stream='http://etherx.jabber.org/streams' version='1.0'><stream:error xmlns:stream='http://etherx.jabber.org/streams'><internal-server-error xmlns='urn:ietf:params:xml:ns:xmpp-streams'/><text xmlns='urn:ietf:params:xml:ns:xmpp-streams'>error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number</text></stream:error></stream:stream>

Pidgin just does nothing and keeps saying "connecting". Seems to timeout.

I am using Fedora 9 with pidgin-2.4.3-1.fc9

Attachments (2)

pidgin-jabber-log.pcap (3.8 KB) - added by adrian13 11 years ago.
PIDGIN-JABBERD wireshark log
psi-jabber-log.pcap (11.3 KB) - added by adrian13 11 years ago.
PSI-JABBERD WIRESHARK log

Download all attachments as: .zip

Change History (22)

comment:1 Changed 11 years ago by datallah

  • Description modified (diff)
  • pending changed from 0 to 1

Please include the corresponding debug log from Pidgin.

comment:2 Changed 11 years ago by adrian13

  • pending changed from 1 to 0
(09:34:11) account: Connecting to account adrian@localhost.localdomain/Home
(09:34:11) connection: Connecting. gc = 0xa0f7540
(09:34:11) dnssrv: querying SRV record for _xmpp-client._tcp.localhost.localdomain
(09:34:11) dnssrv: found 0 SRV entries
(09:34:11) dns: DNS query for 'localhost.localdomain' queued
(09:34:11) dns: Created new DNS child 8037, there are now 1 children.
(09:34:11) dns: Successfully sent DNS request to child 8037
(09:34:11) dns: Got response for 'localhost.localdomain'
(09:34:11) dnsquery: IP resolved for localhost.localdomain
(09:34:11) proxy: Attempting connection to 127.0.0.1
(09:34:11) proxy: Connecting to localhost.localdomain:5222 with no proxy
(09:34:11) proxy: Connection in progress
(09:34:11) proxy: Connected to localhost.localdomain:5222.
(09:34:11) jabber: Sending: <?xml version='1.0' ?>
(09:34:11) jabber: Sending: <stream:stream to='localhost.localdomain' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>
(09:34:11) jabber: Recv (400): <?xml version='1.0'?><stream:stream xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:client' from='localhost.localdomain' version='1.0' id='ztbaqsmrp42o4gs09ffl2n7j23br64u6y6hpz3ho'><stream:features xmlns:stream='http://etherx.jabber.org/streams'><auth xmlns='http://jabber.org/features/iq-auth'/><starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'><required/></starttls></stream:features>
(09:34:11) jabber: Sending: <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
(09:34:11) jabber: Recv (50): <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
(09:34:11) jabber: Sending: <stream:stream to='localhost.localdomain' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>
(09:34:11) g_log: purple_connection_update_progress: assertion `step < count' failed

After that nothing happens for over three hours. Pidgin still says "Connecting".

comment:3 follow-up: Changed 11 years ago by deryni

  • pending changed from 0 to 1

pidgin is 'hanging' at "Connecting" because the server is apparently never sending us any error message. (Despite the server log seemingly indicating that is has an error message prepared.)

As to what is going wrong it looks like pidgin is trying a verson of SSL/TLS that the server is either not expecting or is configured not to accept (assuming I understand that openssl error correctly). Can you check the server configuration for SSL support? Are you perhaps not allowing TLS or something of that sort?

A separate issue would be trying to determine whether or not the server is attempting to send the error message and failing, not trying at all, or trying and somehow pidgin isn't getting or understanding it.

comment:4 in reply to: ↑ 3 Changed 11 years ago by adrian13

  • pending changed from 1 to 0

Replying to deryni:

As to what is going wrong it looks like pidgin is trying a verson of SSL/TLS that the server is either not expecting or is configured not to accept (assuming I understand that openssl error correctly). Can you check the server configuration for SSL support? Are you perhaps not allowing TLS or something of that sort?

From how I understand it, it is configured correctly:

<id realm='' require-starttls='true' pemfile='/etc/jabberd/server.pem'>localhost.localdomain</id>

With following description:

         require-starttls
         If this is enabled, clients must do STARTTLS
         before they can authenticate. Until the stream is encrypted,
         all packets will be dropped

A separate issue would be trying to determine whether or not the server is attempting to send the error message and failing, not trying at all, or trying and somehow pidgin isn't getting or understanding it.

I will attach a wireshark log from a connection attempt. From a first look at it pidgin is indeed sending a request to which the server does not send an answer. I will also attach a wireshark log from PSI connection attempt. I hope it helps even if most of it is encrypted.

I also tried to disable encryption on both ends and then it works.

Changed 11 years ago by adrian13

PIDGIN-JABBERD wireshark log

Changed 11 years ago by adrian13

PSI-JABBERD WIRESHARK log

comment:5 Changed 11 years ago by deryni

  • Owner changed from nwalp to deryni

comment:6 Changed 11 years ago by adrian13

I can also not connect to jabberd 2.2.2. I really have no idea what I am doing wrong?

comment:7 Changed 11 years ago by smoku

[smoku@wing ~]$ lsb_release -d; rpm -q pidgin
Description:	Fedora release 9 (Sulphur)
pidgin-2.4.3-1.fc9.i386

jabberd 2.2.2 + GnuSASL 0.2.27

I am testing it and it is very undeterministic. Sometimes Pidgin connects OK, sometimes not.

This looks like Pidgin requests SSLv3 during negotiation but does not deliver SSLv3 fields.

I would suggest using something like SSL_set_ssl_method(ssl, TLSv1_client_method()); right after SSL_new(ctx); to enforce TLSv1 negotiation.

BTW: I fixed the problem that stream error is not sent in jabberd2 /trunk.

comment:8 Changed 11 years ago by deryni

pidgin doesn't use openssl, so the suggestion doesn't help exactly. It is entirely possible that we are not correctly setting up the ssl connection before attempting to use it though. Which ssl plugin is enabled in the Fedora 9 pidgin build (the About dialog should tell you)?

comment:9 Changed 11 years ago by smoku

The suggestion "something like" was just that - a suggestion. ;-)

Fedora Pidgin:

  Arguments to ./configure:   '--build=i386-redhat-linux-gnu' '--host=i386-redhat-linux-gnu' '--target=i386-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib' '--libexecdir=/usr/libexec' '--localstatedir=/var' '--sharedstatedir=/usr/com' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--enable-gnutls=no' '--enable-nss=yes' '--enable-cyrus-sasl' '--enable-tcl' '--enable-tk' '--disable-schemas-install' '--with-extraversion=1.fc9' '--with-krb4' '--with-silc-includes=/usr/include/silc' '--with-silc-libs=/usr/lib' '--enable-perl' '--enable-gevolution' '--enable-dbus' '--enable-nm' '--enable-gstreamer' 'build_alias=i386-redhat-linux-gnu' 'host_alias=i386-redhat-linux-gnu' 'target_alias=i386-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-all --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables' 'FFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables'
  Print debugging messages: No
  Plugins: Enabled
  SSL: SSL support is present.

  Library Support
    Cyrus SASL: Enabled
    D-Bus: Enabled
    Evolution Addressbook: Enabled
    Gadu-Gadu library (libgadu): Internal
    GtkSpell: Enabled
    GnuTLS: Disabled
    GStreamer: Enabled
    Mono: Disabled
    NetworkManager: Enabled
    Network Security Services (NSS): Enabled
    Perl: Disabled
    Startup Notification: Enabled
    Tcl: Disabled
    Tk: Disabled
    X Session Management: Enabled
    XScreenSaver: Enabled
    Zephyr library (libzephyr): Not External
    Zephyr uses Kerberos: Yes

comment:10 Changed 11 years ago by deryni

I figured you realized the limitations of your suggestion, I just wanted to make it clear to people less familiar with things that the solution to our end of the problem isn't as simple as copying and pasting your lines of code.

It occurs to me that this ticket might (at least tangentially) be related to the issues in #1435 (in that they both seem to be problems with the way we are currently using the NSS libraries for SSL support).

comment:11 Changed 10 years ago by smoku

I'm on Ubuntu 8.10. Pidgin 2.5.2 from Ubuntu repository connects fine. Pidgin 2.5.4 from http://www.getdeb.net/app/Pidgin exhibits 1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number problem.

comment:12 Changed 10 years ago by smoku

When I remove ~/.purple/certificates/x509/tls_peers/localhost file Pidgin connects fine after accepting the certificate in the dialog window and after disconnecting and connecting again. But when I quit Pidgin and start it again it crashes during connection (and jabberd reports SSL3_GET_RECORD:wrong version number).

comment:13 Changed 10 years ago by deryni

We don't generally support packages of pidgin installed from getdeb because they have on occasion had very odd problems that didn't occur anywhere else.

That being said, if the Ubuntu and getdeb packages depend on the same versions of the same SSL library then I am slightly at a loss as to what else might be involved here.

Can you dump the SSL traffic and see what the TLS/SSL HELO information contains when sent by pidgin?

comment:14 Changed 10 years ago by smoku

After reverting to Pidgin 2.5.2 from Ubuntu official, I still observe tha faulty behavior.

I can dump the traffic - could you hint me how?

comment:15 Changed 10 years ago by smoku

You may test it yourself too - create an account on chrome.pl XMPP server - it's running latest development jabberd2 code.

comment:16 Changed 10 years ago by jsambrook

Same problem here with standard Ubuntu packages.

comment:17 follow-up: Changed 10 years ago by neuro

Using latest ubuntu 9.04 with Pidgin 2.5.5 and local jabberd2 2.2.1 server.

I can confirm that Pidgin works fine the first time it connects (when you must accept the certificate) byt after that it sefaults without a reason.

Any chance of seeing a fix for this?

comment:18 in reply to: ↑ 17 Changed 10 years ago by rekkanoryo

Replying to neuro:

Using latest ubuntu 9.04 with Pidgin 2.5.5 and local jabberd2 2.2.1 server.

I can confirm that Pidgin works fine the first time it connects (when you must accept the certificate) byt after that it sefaults without a reason.

Any chance of seeing a fix for this?


Your issue is completely unrelated to this one and is the same problem described in #8830.

comment:19 Changed 10 years ago by deryni

  • Status changed from new to pending

Is this still a problem with more recent versions of pidgin and jabberd?

comment:20 Changed 10 years ago by adrian13

  • Resolution set to fixed
  • Status changed from pending to closed

With the current version of jabberd and pidgin I have not seen this any more. Closing as fixed.

Note: See TracTickets for help on using tickets.
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!