Adium

Opened 3 years ago

Closed 2 years ago

Last modified 2 years ago

#16081 closed defect (fixed)

Unable to connect to corporate XMPP server on Mountain Lion

Reported by: aka Owned by: evan
Milestone: Adium 1.5.4 Component: Service/XMPP (Jabber)
Version: 1.5.2 Severity: normal
Keywords: SSL Handshake Failed Cc: evan
Patch Status: Accepted

Description

Summary

Have used Adium happily for many years to connect to my employer's XMPP server. With Adium 1.5.x, this still works fine on OS X 10.7, but fails with SSL Handshake Error on OS X 10.8 (12A256).

Both Messages.app and Trillian.app (latest version from Mac App Store) can connect to the same XMPP server with the same account settings on the same build of 10.8.

Steps to reproduce

Detail the exact steps taken to produce the bug. Use the following format, each line with " 1." before it:

1.Configure an XMPP account to connect on port 5223, and check "Force old-style SSL", per my employer's requirements.
2.Connect to XMPP server.

Expected results

Connection succeeds, contacts displayed.

Actual results

Initializing Stream Error: SSL Handshake Failed, reconnecting in 5s

Regression

Works on OS X 10.7 with all recent versions of Adium, up to and including 1.5.2b1. Doesn't work on OS X 10.8 (12A269) with any version of Adium I've tried, including 1.5.3b1. Don't know if it worked on earlier 10.8 seeds.

Notes

As a side note, there is another closed ticket with a similar error - however the pertinent error message is different: SSLHandshake failed with error -9820

If you're pasting any kind of plain text, wrap it in "code blocks" like so:

16:41:40: <ESPurpleJabberAccount:23759b0 13>:username@im.servername.com: Original image of size 96.000000 96.000000
16:41:40: -[CBPurpleAccount setAccountUserImage:withData:]:2717: <ESPurpleJabberAccount:23759b0 13>:username@im.servername.com: Setting icon data of length 20052
16:41:40: <ESPurpleJabberAccount:23759b0 13>:username@im.servername.com: Updating status for key: User Icon
16:41:40: Adium: Connect: username@im.servername.com initiating connection using status state <AIStatus: 3878a60 [Available]> ((null)).
16:41:40: Setting status on b149520 (username@im.servername.com/Resource): ID available, isActive 1, attributes {
    buzz = 1;
    priority = 0;
}
16:41:40: (Libpurple: account) Connecting to account username@im.servername.com/Resource.
16:41:40: (Libpurple: connection) Connecting. gc = 0x10b5ce4c0
16:41:40: Connecting: gc=0xb5ce4c0 (Connecting) 1 / 5
16:41:40: (Libpurple: dnsquery) Performing DNS lookup for im.servername.com
16:41:40: <ESPurpleJabberAccount:23759b0 13>:username@im.servername.com: Updating status for key: isOnline
16:41:40: ************ username@im.servername.com --step-- 1
16:41:40: -[AdiumPurpleDnsRequest startLookup]:194: Performing DNS resolve: im.servername.com:5223
16:41:40: DNS resolve complete for im.servername.com:5223; 1 addresses returned
16:41:40: (Libpurple: dnsquery) IP resolved for im.servername.com
16:41:40: (Libpurple: proxy) Attempting connection to 1.2.3.4
16:41:40: (Libpurple: proxy) Connecting to im.servername.com:5223 with no proxy
16:41:40: (Libpurple: proxy) Connection in progress
16:41:40: (Libpurple: proxy) Connecting to im.servername.com:5223.
16:41:40: (Libpurple: proxy) Connected to im.servername.com:5223.
16:41:40: (Libpurple: cdsa) Connecting
16:41:40: (Libpurple: cdsa) Connecting
16:41:41: (Libpurple: cdsa) Connecting
16:41:41: (Libpurple: cdsa) Connecting
16:41:41: (Libpurple: cdsa) Connecting
16:41:41: (Libpurple: cdsa) SSLHandshake failed with error -9820
16:41:41: (Libpurple: connection) Connection error on 0x10b5ce4c0 (reason: 5 description: SSL Handshake Failed)
16:41:41: Connection Disconnected: gc=b5ce4c0 (SSL Handshake Failed)
16:41:41: <ESPurpleJabberAccount:23759b0 13>:username@im.servername.com accountConnectionReportDisconnect: SSL Handshake Failed
16:41:41: (Libpurple: account) Disconnecting account username@im.servername.com/Resource (0x10b149520)
16:41:41: (Libpurple: connection) Disconnecting connection 0x10b5ce4c0
16:41:41: Disconnected: gc=b5ce4c0
16:41:41: <ESPurpleJabberAccount:23759b0 13>:username@im.servername.com: Telling the core we disconnected
16:41:41: -[AIContactObserverManager endListObjectNotificationsDelaysImmediately]:144: 
16:41:41: <ESPurpleJabberAccount:23759b0 13>:username@im.servername.com: Disconnected ("SSL Handshake Failed"): Automatically reconnecting in 16.413086 seconds (5 attempts performed)
16:41:41: (Libpurple: connection) Destroying connection 0x10b5ce4c0
16:41:45: (Libpurple: util) Writing file accounts.xml to directory /Users/username/Library/Application Support/Adium 2.0/Users/Default/libpurple
16:41:45: (Libpurple: util) Writing file /Users/username/Library/Application Support/Adium 2.0/Users/Default/libpurple/accounts.xml
16:41:45: (Libpurple: util) Writing file blist.xml to directory /Users/username/Library/Application Support/Adium 2.0/Users/Default/libpurple
16:41:45: (Libpurple: util) Writing file /Users/username/Library/Application Support/Adium 2.0/Users/Default/libpurple/blist.xml


Attachments (2)

cdsa-tls-patch.diff (6.1 KB) - added by evan 3 years ago.
adiumdbg_tripod_1.txt (2.1 KB) - added by tripod 2 years ago.
debuglog of failed handshake

Download all attachments as: .zip

Change History (37)

comment:1 Changed 3 years ago by mhoskins

I'm having a similar issue after upgrading to 10.8. Same Adium version and configuration settings worked fine in 10.7. I've tried various combinations of old style (or not), removed strict cert checks, etc. and it makes no difference. Latest beta release also does not work.

Short story seems to be "(Libpurple: cdsa) SSLHandshake failed with error -9820":

17:43:32: -[AIAccount(Abstract) retrievePasswordThenConnect]:448: Retrieving <ESPurpleJabberAccount:32955d0 1>:user@domain.com's password (promptOption 2)
17:43:32: <ESPurpleJabberAccount:32955d0 1>:user@domain.com: Updating status for key: isOnline
17:43:32: <ESPurpleJabberAccount:32955d0 1>:user@domain.com: Updating status for key: Enabled
17:43:32: <ESPurpleJabberAccount:32955d0 1>:user@domain.com: Updating status for key: FullNameAttr
17:43:32: handleConnectivityForAccount: <ESPurpleJabberAccount:32955d0 1>:user@domain.com reachable: 1
17:43:32: -[CBPurpleAccount setAccountUserImage:withData:]:2717: <ESPurpleJabberAccount:32955d0 1>:user@domain.com: Setting icon data of length 0
17:43:32: <ESPurpleJabberAccount:32955d0 1>:user@domain.com: Updating status for key: User Icon
17:43:32: Adium: Connect: user@domain.com initiating connection using status state <AIStatus: 3058e60 [Available]> ((null)).
17:43:32: Setting status on 32e98a0 (user@domain.com/hostname): ID available, isActive 1, attributes {
    buzz = 1;
    priority = 0;
}
17:43:32: (Libpurple: account) Connecting to account user@domain.com/hostname.
17:43:32: (Libpurple: connection) Connecting. gc = 0x1023f9d00
17:43:32: Connecting: gc=0x23f9d00 (Connecting) 1 / 5
17:43:32: (Libpurple: dnssrv) querying SRV record for site.com: _xmpp-client._tcp.site.com
17:43:32: ************ user@domain.com --step-- 1
17:43:32: (Libpurple: dnssrv) found 1 SRV entries
17:43:32: (Libpurple: dnsquery) Performing DNS lookup for isj3cmx.site.com
17:43:32: -[AdiumPurpleDnsRequest startLookup]:194: Performing DNS resolve: isj3cmx.site.com:5222
17:43:32: DNS resolve complete for isj3cmx.site.com:5222; 1 addresses returned
17:43:32: (Libpurple: dnsquery) IP resolved for isj3cmx.site.com
17:43:32: (Libpurple: proxy) Attempting connection to a.b.c.d
17:43:32: (Libpurple: proxy) Connecting to isj3cmx.site.com:5222 with no proxy
17:43:32: (Libpurple: proxy) Connection in progress
17:43:32: (Libpurple: proxy) Connecting to isj3cmx.site.com:5222.
17:43:32: (Libpurple: proxy) Connected to isj3cmx.site.com:5222.
17:43:32: (Libpurple: jabber) Sending (user@domain.com/hostname): <?xml version='1.0' ?>
17:43:32: Connecting: gc=0x23f9d00 (Initializing Stream) 2 / 5
17:43:32: (Libpurple: jabber) Sending (user@domain.com/hostname): <stream:stream to='site.com' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>
17:43:32: ************ user@domain.com --step-- 2
17:43:32: (Libpurple: jabber) Recv (176): <stream:stream xmlns='jabber:client' xml:lang='en-US.UTF-8' xmlns:stream='http://etherx.jabber.org/streams' from='site.com'   id='Z-Ics3txQjakFsJwpo17JQ1521345' version='1.0'>
17:43:32: (Libpurple: jabber) Recv (107): <stream:features><starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'><required/></starttls></stream:features>
17:43:32: (Libpurple: jabber) Sending (user@domain.com/hostname): <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
17:43:32: Connecting: gc=0x23f9d00 (Initializing SSL/TLS) 6 / 9
17:43:32: ************ user@domain.com --step-- 6
17:43:32: (Libpurple: jabber) Recv (50): <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
17:43:32: (Libpurple: cdsa) Connecting
17:43:32: (Libpurple: cdsa) Connecting
17:43:33: (Libpurple: cdsa) Connecting
17:43:33: (Libpurple: cdsa) SSLHandshake failed with error -9820
17:43:33: (Libpurple: connection) Connection error on 0x1023f9d00 (reason: 5 description: SSL Handshake Failed)
17:43:33: Connection Disconnected: gc=23f9d00 (SSL Handshake Failed)
17:43:33: <ESPurpleJabberAccount:32955d0 1>:user@domain.com accountConnectionReportDisconnect: SSL Handshake Failed
17:43:33: (Libpurple: account) Disconnecting account user@domain.com/hostname (0x1032e98a0)
17:43:33: (Libpurple: connection) Disconnecting connection 0x1023f9d00
17:43:33: Disconnected: gc=23f9d00
17:43:33: <ESPurpleJabberAccount:32955d0 1>:user@domain.com: Telling the core we disconnected
17:43:33: -[AIContactObserverManager endListObjectNotificationsDelaysImmediately]:144: 
17:43:33: <ESPurpleJabberAccount:32955d0 1>:user@domain.com: Disconnected ("SSL Handshake Failed"): Automatically reconnecting in 5.000000 seconds (0 attempts performed)
17:43:33: (Libpurple: connection) Destroying connection 0x1023f9d00
Last edited 3 years ago by mhoskins (previous) (diff)

comment:2 Changed 3 years ago by alexkli

I have the same issue with 1.5.2 and a corporate XMPP server.

Here is my log, with account, server & ip data anonymized:

14:22:00: -[AIAccount(Abstract) retrievePasswordThenConnect]:448: Retrieving <ESPurpleJabberAccount:6603350 5>:username@im.enterprise.com's password (promptOption 2)
14:22:00: <ESPurpleJabberAccount:6603350 5>:username@im.enterprise.com: Updating status for key: isOnline
14:22:00: <ESPurpleJabberAccount:6603350 5>:username@im.enterprise.com: Original image of size 320.000000 320.000000
14:22:00: <ESPurpleJabberAccount:6603350 5>:username@im.enterprise.com: Scaled image to size {96, 96}
14:22:00: -[CBPurpleAccount setAccountUserImage:withData:]:2717: <ESPurpleJabberAccount:6603350 5>:username@im.enterprise.com: Setting icon data of length 22799
14:22:00: <ESPurpleJabberAccount:6603350 5>:username@im.enterprise.com: Updating status for key: User Icon
14:22:00: Adium: Connect: username@im.enterprise.com initiating connection using status state <AIStatus: 23a0c40 [@berlin]> ((null)).
14:22:00: Setting status on 3088020 (username@im.enterprise.com/my-computer): ID available, isActive 1, attributes {
    buzz = 1;
    priority = 0;
}
14:22:00: (Libpurple: account) Connecting to account username@im.enterprise.com/my-computer.
14:22:00: (Libpurple: connection) Connecting. gc = 0x109122170
14:22:00: Connecting: gc=0x9122170 (Verbindungsaufbau) 1 / 5
14:22:00: (Libpurple: dnsquery) Performing DNS lookup for im.enterprise.com
14:22:00: ************ username@im.enterprise.com --step-- 1
14:22:00: -[AdiumPurpleDnsRequest startLookup]:194: Performing DNS resolve: im.enterprise.com:5223
14:22:00: DNS resolve complete for im.enterprise.com:5223; 1 addresses returned
14:22:00: (Libpurple: dnsquery) IP resolved for im.enterprise.com
14:22:00: (Libpurple: proxy) Attempting connection to 1.2.3.4
14:22:00: (Libpurple: proxy) Connecting to im.enterprise.com:5223 with no proxy
14:22:00: (Libpurple: proxy) Connection in progress
14:22:00: (Libpurple: proxy) Connecting to im.enterprise.com:5223.
14:22:00: (Libpurple: proxy) Connected to im.enterprise.com:5223.
14:22:00: (Libpurple: cdsa) Connecting
14:22:01: (Libpurple: cdsa) Connecting
14:22:01: (Libpurple: cdsa) Connecting
14:22:01: (Libpurple: cdsa) Connecting
14:22:02: (Libpurple: cdsa) Connecting
14:22:02: (Libpurple: cdsa) SSLHandshake failed with error -9820
14:22:02: (Libpurple: connection) Connection error on 0x109122170 (reason: 5 description: SSL Handshake Failed)
14:22:02: Connection Disconnected: gc=9122170 (SSL Handshake Failed)
14:22:02: <ESPurpleJabberAccount:6603350 5>:username@im.enterprise.com accountConnectionReportDisconnect: SSL Handshake Failed
14:22:02: (Libpurple: account) Disconnecting account username@im.enterprise.com/my-computer (0x103088020)
14:22:02: (Libpurple: connection) Disconnecting connection 0x109122170
14:22:02: Disconnected: gc=9122170
14:22:02: <ESPurpleJabberAccount:6603350 5>:username@im.enterprise.com: Telling the core we disconnected
14:22:02: -[AIContactObserverManager endListObjectNotificationsDelaysImmediately]:144: 
14:22:02: <ESPurpleJabberAccount:6603350 5>:username@im.enterprise.com: Disconnected ("SSL Handshake Failed"): Automatically reconnecting in 5.000000 seconds (0 attempts performed)
14:22:02: (Libpurple: connection) Destroying connection 0x109122170

comment:3 Changed 3 years ago by spaztic

Same issue, user and server names removed to protect the innocent.

07:22:24: <ESPurpleJabberAccount:23dab80 2>:user.name@chat.server.name: Disconnected ("SSL Handshake Failed"): Automatically reconnecting in 5.000000 seconds (1 attempts performed)
07:22:24: (Libpurple: connection) Destroying connection 0x10d032b30
07:22:27: (Libpurple: util) Writing file accounts.xml to directory /Users/user.name/Library/Application Support/Adium 2.0/Users/Default/libpurple
07:22:27: (Libpurple: util) Writing file /Users/user.name/Library/Application Support/Adium 2.0/Users/Default/libpurple/accounts.xml
07:22:29: <ESPurpleJabberAccount:23dab80 2>:user.name@chat.server.name: Original image of size 512.000000 512.000000
07:22:29: <ESPurpleJabberAccount:23dab80 2>:user.name@chat.server.name: Scaled image to size {96, 96}
07:22:29: -[CBPurpleAccount setAccountUserImage:withData:]:2717: <ESPurpleJabberAccount:23dab80 2>:user.name@chat.server.name: Setting icon data of length 17092
07:22:29: <ESPurpleJabberAccount:23dab80 2>:user.name@chat.server.name: Updating status for key: User Icon
07:22:29: Adium: Connect: user.name@chat.server.name initiating connection using status state <AIStatus: 3091e30 [Available]> ((null)).
07:22:29: Setting status on d023790 (user.name@chat.server.name/user.name-MacBook-Pro-2): ID available, isActive 1, attributes {
    buzz = 1;
    priority = 0;
}
07:22:29: (Libpurple: account) Connecting to account user.name@chat.server.name/user.name-MacBook-Pro-2.
07:22:29: (Libpurple: connection) Connecting. gc = 0x1073b1610
07:22:29: Connecting: gc=0x73b1610 (Connecting) 1 / 5
07:22:29: (Libpurple: dnssrv) querying SRV record for chat.server.name: _xmpp-client._tcp.chat.server.name
07:22:29: <ESPurpleJabberAccount:23dab80 2>:user.name@chat.server.name: Updating status for key: isOnline
07:22:29: ************ user.name@chat.server.name --step-- 1
07:22:30: (Libpurple: dnssrv) res_query returned an error
07:22:30: (Libpurple: dnsquery) Performing DNS lookup for chat.server.name
07:22:30: -[AdiumPurpleDnsRequest startLookup]:194: Performing DNS resolve: chat.server.name:5222
07:22:30: DNS resolve complete for chat.server.name:5222; 1 addresses returned
07:22:30: (Libpurple: dnsquery) IP resolved for chat.server.name
07:22:30: (Libpurple: proxy) Attempting connection to 5.6.7.8
07:22:30: (Libpurple: proxy) Connecting to chat.server.name:5222 with no proxy
07:22:30: (Libpurple: proxy) Connection in progress
07:22:31: (Libpurple: proxy) Connecting to chat.server.name:5222.
07:22:31: (Libpurple: proxy) Connected to chat.server.name:5222.
07:22:31: (Libpurple: jabber) Sending (user.name@chat.server.name/user.name-MacBook-Pro-2): <?xml version='1.0' ?>
07:22:31: Connecting: gc=0x73b1610 (Initializing Stream) 2 / 5
07:22:31: (Libpurple: jabber) Sending (user.name@chat.server.name/user.name-MacBook-Pro-2): <stream:stream to='chat.server.name' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>
07:22:31: ************ user.name@chat.server.name --step-- 2
07:22:31: (Libpurple: jabber) Recv (265): <stream:stream xmlns='jabber:client' xml:lang='en' xmlns:stream='http://etherx.jabber.org/streams' from='chat.server.name'   id='40AF300001929' version='1.0'><stream:features><starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'><required/></starttls></stream:features>
07:22:31: (Libpurple: jabber) Sending (user.name@chat.server.name/user.name-MacBook-Pro-2): <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
07:22:31: Connecting: gc=0x73b1610 (Initializing SSL/TLS) 6 / 9
07:22:31: ************ user.name@chat.server.name --step-- 6
07:22:31: (Libpurple: jabber) Recv (50): <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
07:22:31: (Libpurple: cdsa) Connecting
07:22:31: (Libpurple: cdsa) Connecting
07:22:31: (Libpurple: cdsa) Connecting
07:22:31: (Libpurple: cdsa) SSLHandshake failed with error -9820
07:22:31: (Libpurple: connection) Connection error on 0x1073b1610 (reason: 5 description: SSL Handshake Failed)
07:22:31: Connection Disconnected: gc=73b1610 (SSL Handshake Failed)
07:22:31: <ESPurpleJabberAccount:23dab80 2>:user.name@chat.server.name accountConnectionReportDisconnect: SSL Handshake Failed
07:22:31: (Libpurple: account) Disconnecting account user.name@chat.server.name/user.name-MacBook-Pro-2 (0x10d023790)
07:22:31: (Libpurple: connection) Disconnecting connection 0x1073b1610
07:22:31: Disconnected: gc=73b1610
07:22:31: <ESPurpleJabberAccount:23dab80 2>:user.name@chat.server.name: Telling the core we disconnected
07:22:31: -[AIContactObserverManager endListObjectNotificationsDelaysImmediately]:144: 
07:22:31: <ESPurpleJabberAccount:23dab80 2>:user.name@chat.server.name: Disconnected ("SSL Handshake Failed"): Automatically reconnecting in 5.000000 seconds (2 attempts performed)
07:22:31: (Libpurple: connection) Destroying connection 0x1073b1610

comment:4 Changed 3 years ago by hoffman334

Confirmed. This problem started with OSX 10.8 install. Jabber gets SSL error in Adium, but, connects without incident in the new Messages app.

comment:5 Changed 3 years ago by bbrantley

Also confirmed. OSX 10.8, same error -9820, etc.

comment:6 Changed 3 years ago by einarnn

Another confirmation on OSX 10.8. Both Messages and Cisco Jabber are able to correctly connect.

comment:7 Changed 3 years ago by Robby

  • Milestone set to Adium 1.5.4

comment:8 Changed 3 years ago by tls12

Adium uses the Secure Transport API for TLS/SSL. On Mountain Lion, Secure Transport always attempts TLS 1.2 by default unless told otherwise (e.g. by enabling only kTLSProtocol1.) Most likely the problematic server does not handle newer TLS versions gracefully by falling back to TLS 1.0, and so the connection fails.

comment:9 Changed 3 years ago by Robby

  • Cc evan added

comment:10 follow-up: Changed 3 years ago by evan

-9820 is errSSLPeerBadRecordMac according to SecureTransport.h.

I was hoping this wasn't due to the fixes made in various stacks for BEAST, but it's looking like that's the case.

I can't find anything in the 10.8 diffs to indicate anything changed here, but it obviously did.

The Cisco Jabber binary is linked to Security.framework as well, so they're doing something to get around this. The only thing I can see in this regard is disabling ciphers, but that's far from optimal. I'd like to get a dump of the handshake if possible.

Does anyone know of a public XMPP server that produces this behavior? I haven't been able to reproduce it. Alternatively, I could offer up a build that spits out all the SSL context info for you guys to give me.

comment:11 in reply to: ↑ 10 Changed 3 years ago by einarnn

I'll happy run a debug build against my server, which is a Cisco Jabber server.

Replying to evan:

-9820 is errSSLPeerBadRecordMac according to SecureTransport.h.

I was hoping this wasn't due to the fixes made in various stacks for BEAST, but it's looking like that's the case.

I can't find anything in the 10.8 diffs to indicate anything changed here, but it obviously did.

The Cisco Jabber binary is linked to Security.framework as well, so they're doing something to get around this. The only thing I can see in this regard is disabling ciphers, but that's far from optimal. I'd like to get a dump of the handshake if possible.

Does anyone know of a public XMPP server that produces this behavior? I haven't been able to reproduce it. Alternatively, I could offer up a build that spits out all the SSL context info for you guys to give me.

comment:12 follow-up: Changed 3 years ago by tls12

For a legacy server that can't downgrade from higher versions than it knows about, you probably just have to disable TLS versions higher than 1.0 and retry the connection.

Something like this should work:

SSLSetProtocolVersionEnabled(ctx, kSSLProtocolAll, false); // turn off everything first
SSLSetProtocolVersionEnabled(ctx, kSSLProtocol3, true); // explicitly enable SSLv3
SSLSetProtocolVersionEnabled(ctx, kTLSProtocol1, true); // explicitly enable TLSv1

10.8 has a new API which can do this in one step:

SSLSetProtocolVersionMax(ctx, kTLSProtocol1);

comment:13 Changed 3 years ago by fluffy

I am having this same problem and was trying to track it down.

When I do a

openssl s_client -connect isj3cmx.webexconnect.com:5222 -starttls xmpp

I get back a cert then when I look at it with

openssl x509 -in theCert.cer -noout -text

it looks like the cert has expired. This seemed to work fine on Lion (which is not good) but on mountain lion it just seem to cause Adium to go into a retry loop. I have not fully debugged this yet and perhaps I made a mistake but thought that might help.

comment:14 in reply to: ↑ 12 Changed 3 years ago by evan

  • Owner set to evan
  • Status changed from new to assigned

Replying to tls12:

For a legacy server that can't downgrade from higher versions than it knows about, you probably just have to disable TLS versions higher than 1.0 and retry the connection.

Something like this should work:

SSLSetProtocolVersionEnabled(ctx, kSSLProtocolAll, false); // turn off everything first
SSLSetProtocolVersionEnabled(ctx, kSSLProtocol3, true); // explicitly enable SSLv3
SSLSetProtocolVersionEnabled(ctx, kTLSProtocol1, true); // explicitly enable TLSv1

10.8 has a new API which can do this in one step:

SSLSetProtocolVersionMax(ctx, kTLSProtocol1);

Makes sense.

I'll try this out later tonight.

Changed 3 years ago by evan

comment:15 Changed 3 years ago by wixardy

  • Patch Status set to Needs Dev Review

comment:16 follow-up: Changed 3 years ago by aka

As a note 1.5.4b1 doesn't solve this issue.

comment:17 in reply to: ↑ 16 Changed 3 years ago by paulwilde

Replying to aka:

As a note 1.5.4b1 doesn't solve this issue.

The fix has yet to be committed. Most likely will be pushed in the next beta.

comment:19 Changed 2 years ago by evan

  • Patch Status changed from Needs Dev Review to Accepted

comment:20 Changed 2 years ago by tripod

I tried with the latest 1.5.4 build with the patch applied, but I still get the same error:

12:14:18: (Libpurple: cdsa) SSLHandshake failed with error -9820

comment:21 Changed 2 years ago by David Munch

And what is "The latest 1.5.4 build"?

comment:22 Changed 2 years ago by tripod

parent: 5103:636322280fe5 tip
 Prepare 1.5.4b2
branch: adium-1.5.4
commit: (clean)
update: (current)

comment:23 Changed 2 years ago by David Munch

Please provide a debug log and attach it to the ticket.

Changed 2 years ago by tripod

debuglog of failed handshake

comment:24 Changed 2 years ago by evan

Whoops. Sorry about that. I used the wrong constant.

Build 5106 should hopefully work a little better.

comment:25 Changed 2 years ago by tripod

It still doesn't work. Now I get:

15:37:42: (Libpurple: proxy) Connected to chat.server.com:5223.
15:37:42: (Libpurple: cdsa) Connecting
15:37:42: (Libpurple: cdsa) Connecting
15:37:42: (Libpurple: cdsa) Connecting
15:37:42: (Libpurple: cdsa) Connecting
15:37:42: (Libpurple: cdsa) SSLHandshake reported bad MAC, forcing TLS 1.0/SSL 3.0
15:37:42: (Libpurple: cdsa) retrying SSLHandshake
15:37:42: (Libpurple: cdsa) Connecting
15:37:42: (Libpurple: cdsa) SSLHandshake failed with error -9844
15:37:42: (Libpurple: connection) Connection error on 0x11182f680 (reason: 5 description: SSL Handshake Failed)

Is there anything else I can help to debug? The connection works with iChat, but I don't know how to figure out what kind of TLS/SSL version they use.

comment:26 Changed 2 years ago by evan

Okay, that's a step in the right direction. I think I can do the same sort of thing that Chromium does to handle buggy TLS stacks if this is happening now with the new parameters.

I really need a server I can test against, though. I'm kind of shooting in the dark right now and hoping my guesses are correct. Does anyone know of a public one that exhibits this behavior (or one you could email me privately, even)? I don't even need an account, just something I can connect to.

comment:27 Changed 2 years ago by tripod

unfortunately our server is internal, but I did a test with openssl (I'm not a ssl expert, but maybe this helps)

$ openssl s_client -state -connect chat.server.com:5222 -starttls xmpp
CONNECTED(00000003)
SSL_connect:before/connect initialization
SSL_connect:SSLv2/v3 write client hello A
SSL_connect:SSLv3 read server hello A
depth=2 C = US, O = "VeriSign, Inc.", OU = VeriSign Trust Network, OU = "(c) 2006 VeriSign, Inc. - For authorized use only", CN = VeriSign Class 3 Public Primary Certification Authority - G5
verify error:num=20:unable to get local issuer certificate
verify return:0
SSL_connect:SSLv3 read server certificate A
SSL_connect:SSLv3 read server done A
SSL_connect:SSLv3 write client key exchange A
SSL_connect:SSLv3 write change cipher spec A
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
SSL3 alert read:fatal:bad record mac
SSL_connect:failed in SSLv3 read finished A
140735271006684:error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac:s3_pkt.c:1251:SSL alert number 20
140735271006684:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
Certificate chain
...(removed)...
---
Server certificate
-----BEGIN CERTIFICATE-----
...(removed)...
-----END CERTIFICATE-----
...(removed)...
---
No client certificate CA names sent
---
SSL handshake has read 7465 bytes and written 326 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 1234...
    Session-ID-ctx: 
    Master-Key: 1234...
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1349850961
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

According to our IT, the server is "old" and uses "old" certificates. I even tried to install+trust the server cert in keychain, but that didn't help.

comment:28 Changed 2 years ago by spaztic

chat.dco.dod.mil has the issue

comment:29 Changed 2 years ago by evan

Would it be acceptable to you guys if we just forego even trying TLS again when we get back a response that's indicative of a misbehaving server? Everything goes fine if I explicitly force the use of SSLv3 alone. I could provide an option in the account preferences to explicitly enable this fallback behavior, since it's technically a bit less secure than using TLS too.

I don't think there's a way to make Secure Transport (Apple's SSL stack) do what I need it to do (namely, to stop applying variable padding) to work around the bug based on the current documentation.

If you absolutely *have* to have TLS, there are other avenues we can pursue... but this is certainly the simplest.

Last edited 2 years ago by evan (previous) (diff)

comment:30 Changed 2 years ago by tripod

anything that helps me connect to my corp jabber (I'm so tired of iChat :-). I wouldn't even bother to modify a config file, if you can't expose that feature in the preferences dialog.

btw forcing tls1 works with my server and I can initiate a stream:

$ openssl s_client -state -connect chat.server.com:5222 -starttls xmpp -tls1
<?xml version='1.0'?>
<stream:stream
    to='chat.server.com'
    xmlns='jabber:client'
    xmlns:stream='http://etherx.jabber.org/streams'
    version='1.0'>
<stream:stream xmlns='jabber:client' xml:lang='en' xmlns:stream='http://etherx.jabber.org/streams' from='chat.server.com'   id='1F5A10000051F1' version='1.0'><stream:features/>

comment:31 Changed 2 years ago by Thijs Alkemade <thijsalkemade@…>

(In 24a33c054027) - Updated libglib to 2.32.4, to fix #16186.

  • Patched libpurple to store the PurpleAccount on PurpleSSLConnections.

Fixes #16186, Refs #16081

comment:32 Changed 2 years ago by Thijs Alkemade <thijsalkemade@…>

  • Resolution set to fixed
  • Status changed from assigned to closed

(In 5a20bccaab6f) Change the following things for Evan's previous patch:

  • Don't permanently workaround buggy servers, try normally once every run, if that fails, activate the workaround.
  • Only automatically reconnect if the handshake failed and we might need the workaround, so we don't spam buggy servers that also happen to be offline.

Fixes #16081

comment:33 Changed 2 years ago by tripod

I can confirm that I can now connect to my corp server. thanks a lot.
one issue though: the status in the accounts window stays: "Connecting" although the account is online.

$ hg summary
parent: 5121:7118d14f1a55 tip
branch: adium-1.5.4

comment:34 Changed 2 years ago by Thijs Alkemade <thijsalkemade@…>

(In 276b23354bd1) Don't reconnect immediately when trying the buggy server workaround, as libpurple won't have updated its state for the account.

Refs #16081

comment:35 Changed 2 years ago by pwibbele

Sync'd latest and built. Fixes the problem on our corporate server too. Thanks!

Note: See TracTickets for help on using tickets.