Opened 8 years ago

Last modified 8 years ago

#8828 new defect

pidgin can't connect to SSL IRC server with authentication enabled without saved passwords

Reported by: kamath Owned by: elb
Milestone: Component: IRC
Version: 2.5.5 Keywords:
Cc:

Description

We recently switched to an internally authenticated IRC server. Since IRC sends passwords in cleartext over the wire, we turned on SSL on the IRC server. But no one with pidgin can connect unless they do this rigamarole:

  • Edit the account for the IRC server
  • Enter the username/password in the appropriate boxes in the "Modify Account" dialog
  • click "Remember password"
  • Click save
  • Enable the account

[At this point you'll get a long delay, and a "SSL Handshake Failed" message.]

  • Quit pidgin
  • Start pidgin

[This should get your connected to the IRC server]

  • Edit the account and uncheck "Remember password"

[This last step is to keep your password from being stored in cleartext on disk].

It would appear that the IRC code doesn't know how to prompt for a password, and there's no way to enter a password that will be used for a connection attempt unless you save the password to disk.

Change History (4)

comment:1 Changed 8 years ago by kamath

  • Summary changed from pidgin can't connect to SSL IRC server with authentication enable without saved passwords to pidgin can't connect to SSL IRC server with authentication enabled without saved passwords

comment:2 Changed 8 years ago by deryni

  • Status changed from new to pending

Correct, the irc prpl doesn't currently appear to support prompting for a password on connection failure. It can't prompt by default as most IRC servers do not require passwords. But to me the more interesting issue here is that the connection fails the first time, can you get the Help->Debug Window output of the SSL failure?

I'll refrain from asking why an internal IRC server needs password authentication since I don't imagine that is a conversation that will go anywhere.

comment:3 Changed 8 years ago by kamath

  • Status changed from pending to new

This is the relevant log information for the attempt at logging in *without* a password save (I.e., I just fired up pidgin and brought up the debug window as fast as I could. It took a fair amount of time, and then this appeared). Oddly, I do *NOT* get the "authentication denied" message. [Forgive some minor obfuscation of server name and IP address; the are correct in the unedited version]

(13:31:43) autorecon: do_signon called
(13:31:43) autorecon: calling purple_account_connect
(13:31:43) account: Connecting to account kamath@the.irc.server.com
(13:31:43) connection: Connecting. gc = 0xf12d10
(13:31:43) dns: DNS query for 'the.irc.server.com' queued
(13:31:43) autorecon: done calling purple_account_connect
(13:31:43) dns: Wait for DNS child 6785 failed: No child processes
(13:31:43) dns: Created new DNS child 6790, there are now 1 children.
(13:31:43) dns: Successfully sent DNS request to child 6790
(13:31:43) dns: Got response for 'the.irc.server.com'
(13:31:43) dnsquery: IP resolved for the.irc.server.com
(13:31:43) proxy: Attempting connection to 192.168.1.1
(13:31:43) proxy: Connecting to the.irc.server.com:6667 with no proxy
(13:31:43) proxy: Connection in progress
(13:31:43) proxy: Connecting to the.irc.server.com:6667.
(13:31:43) nss: Handshake failed  (-5938)
(13:31:43) account: Disconnecting account 0x9db4d0
(13:31:43) connection: Disconnecting connection 0xf12d10
(13:31:43) connection: Destroying connection 0xf12d10

So, on the first load of pidgin, I *always* get that message (Handshake failed). However, the second time and on I don't have to wait so long. ;-)

Now, if I quit pidgin, after saving my password, but leaving the account disabled, then start pidgin and try and enable the account, I get the following:

(13:38:55) account: Connecting to account kamath@the.irc.server.com
(13:38:55) connection: Connecting. gc = 0xecc400
(13:38:55) dns: DNS query for 'the.irc.server.com' queued
(13:38:55) dns: Created new DNS child 6990, there are now 1 children.
(13:38:55) dns: Successfully sent DNS request to child 6990
(13:38:55) dns: Got response for 'the.irc.server.com'
(13:38:55) dnsquery: IP resolved for the.irc.server.com
(13:38:55) proxy: Attempting connection to 192.168.1.1
(13:38:55) proxy: Connecting to the.irc.server.com:6667 with no proxy
(13:38:55) proxy: Connection in progress
(13:38:55) proxy: Connecting to the.irc.server.com:6667.
(13:38:55) nss: subject=E=postmaster@dreamworks.com,CN=the.irc.server.com,OU=Our OU,O=DreamWorks Animation SKG Inc.,L=Glendale,ST=California,C=US issuer=E=postmaster@dreamworks.com,CN=the.irc.server.com,OU=Our OU,O=DreamWorks Animation SKG Inc.,L=Glendale,ST=California,C=US
(13:38:55) certificate/x509/tls_cached: Starting verify for the.irc.server.com
(13:38:55) certificate/x509/tls_cached: Checking for cached cert...
(13:38:55) certificate/x509/tls_cached: ...Found cached cert
(13:38:55) nss/x509: Loading certificate from /home/kamath/.purple/certificates/x509/tls_peers/the.irc.server.com
(13:38:55) certificate/x509/tls_cached: Peer cert matched cached
(13:38:55) certificate: Successfully verified certificate for the.irc.server.com
(13:38:55) irc: Got a NOTICE on Auth, which does not exist
(13:38:55) irc: Got a NOTICE on Auth, which does not exist
(13:38:55) account: Disconnecting account 0x9da9b0
(13:38:55) connection: Disconnecting connection 0xecc400
(13:38:55) connection: Destroying connection 0xecc400

Thereafter, I get the "Handshake failed" message.

The only difference when it *WORKS is that I get *four* "irc: Got a NOTICE on Auth, which does not exist" messages. And then I'm logged in. Go figger.

If you'd like more log information, let me know. I'm also happy to grab the source and compile it and/or run debug code. Just let me know.

Oh, BTW: When I save the password, restart pidgen, get the error message -- my password is removed from the account setting. That doesn't seem right. :-(

comment:4 Changed 8 years ago by kamath

Is there anything else I can do to help this issue get resolved? If someone could point to the relevant bits of code to look at, I might have a clue, but I've never had much luck with SSL code.

As for why we have authentication on our internal IRC server, I have one word: Auditors. We started logging all our internal IRC chats, and in order to make the logs meaningful, it was decided that we'd do authentication.

It was then 'discovered' that using authenticatino over IRC would ship a password in plaintext, and that's why we have SSL

Sean

Note: See TracTickets for help on using tickets.
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!