Cannot connect to Openfire XMPP server if DIGEST-MD5 is enabled

[ryanlim]

I cannot connect to my XMPP server. Adium reports "Error: Incorrect username or password" and prompts me for the password again. My username and password is correct.

I've noticed this since r21254 until r21293.

Mac OS X version: 10.4.10

Revision of your SVN checkout: r21293

What steps you took to diagnose the issue: Debug window (see attached)

What steps you took to attempt to fix the issue: Verify my username and password are correct.

What version of Xcode you used (remember that you need at least version 2.3): 2.4.1

What happened: I cannot login to my XMPP account.

What was expected to have happened: Login successfully.

I'm attaching the relevant debug log for this.

[evands]

Your server supports the Digest-MD5, Plain, and Cram-MD5 authentication methods. Previously, only Plain was supported. Support for Digest-MD5 and Cram-MD5 has just been added, but was untested.. one or both appear to be buggy. Could you make me an account on your XMPP server (see evands for my email address) for testing purposes, please?

Also, are you on PPC or Intel?

[ryanlim]

I'm running the Openfire 3.3.3 XMPP server. I've emailed you the details for connecting to my XMPP server. :)

Adium is on an Intel.

[ryanlim]

Evan,

I did quite a bit of digging in the pidgin/libpurple code. Everything looked fine.

Then I stumbled across this:  http://www.igniterealtime.org/community/thread/28577

It seems that Java's DIGEST-MD5 doesn't work the same as cyrus-sasl's.

This ticket can be closed - Adium/libpurple/cyrus-sasl is not broken as far as this is concerned.

[boredzo]

Closing per user information.

[evands]

The question, then, is this: Do we leave DIGEST-MD5 support in Adium, knowing that it makes it impossible to connect to Openfire when Openfire has DIGEST-MD5 enabled? Or do we disable it, removing the ability to make use of it on other servers?

[evands]

Also, I'd like to verify that libpurple's DIGEST-MD5 works on non-Java servers; the thread of conversation regarding the java vs. cyrus-sasl incompatibility, which ultimately boils down to  this ticket, doesn't sound exactly the same as what we're seeing, though that might just be a misunderstanding on my part.

[ryanlim]

From my quick reading  here, it seems that they the XMPP standards may throw DIGEST-MD5 out the window because of the different interpretations of RFC2831.

I'll see if I can find out more about this.

[stpeter]

Regarding the XMPP standards, yes we will most likely deprecate DIGEST-MD5 because the IETF is deprecating it. Instead we will recommend SASL PLAIN over an encrypted connection. Hopefully there is less confusion about Transport Layer Security than about the SASL DIGEST-MD5 mechanism, so that everyone will be able to interoperate using TLS + SASL PLAIN.

However, this doesn't help all those server admins who have deployed DIGEST-MD5, so it would be good to get to the bottom of the problem. Unfortunately, that probably requires coordination between the Java and Cyrus people.

[evands]

(In [21340]) Libpurple.framework [510], which is just like [509] except has DIGEST-MD5 disabled and Kerberos4 enabled for cyrus-sasl XMPP authentication. See #8135 for more info. Refs #8135

[ari]

I continue to get this error with Openfire and Adium 1.2b1 and b2 Should I open another ticket with further information or is this issue already being investigated?

[evands]

#8586 is a ticket with additional information marked a duplicate of this one.

[evands]

(In [21977]) libpurple.framework with the patch added in [21976] which makes use of the built-in digest-md5 authentication mechanism in xmpp. This change was also committed to im.pidgin.pidgin. This fixes auth to Java-based servers which advertise DIGEST-MD5 as a preferred mechanism.

Fixes #8135. Fixes #8586.