[Pidgin] #2095: XMPP disconnect causes inability to reconnect

Pidgin trac at pidgin.im
Wed Sep 5 09:39:50 EDT 2007 

#2095: XMPP disconnect causes inability to reconnect
---------------------------+------------------------------------------------
  Reporter:  akrherz       |       Owner:  deryni
      Type:  defect        |      Status:  closed
  Priority:  minor         |   Milestone:        
 Component:  pidgin (gtk)  |     Version:  2.0.2 
Resolution:  invalid       |    Keywords:        
   Pending:  0             |  
---------------------------+------------------------------------------------
Comment (by deryni):

 For the record (because someone in the Ignite Realtime forums commented on
 this) the 'Using Digest Authentication as a SASL Mechanism' RFC (2831)
 specifies what the server should do if it doesn't support subsequent
 authentication, what it should do if the client gets the subsequent auth
 wrong, and even what to do if it just decides it doesn't like the
 subsequent auth that happened. None of those methods are what the Java
 SASL library is doing.

 From the RFC:

 2.2.2  Step Two

    The server receives the "digest-response". If the server does not
    support subsequent authentication, then it sends a
    "digest-challenge", and authentication proceeds as in initial
    authentication. If the server has no saved nonce and nonce-count from
    a previous authentication, then it sends a "digest-challenge", and
    authentication proceeds as in initial authentication. Otherwise, the
    server validates the "digest-response", checks that the nonce-count
    is one greater than that used in the previous authentication using
    that nonce, and saves the new value of nonce-count.

    If the response is invalid, then the server sends a
    "digest-challenge", and authentication proceeds as in initial
    authentication (and should be configurable to log an authentication
    failure in some sort of security audit log, since the failure may be
    a symptom of an attack). The nonce-count MUST NOT be incremented in
    this case: to do so would allow a denial of service attack by sending
    an out-of-order nonce-count.

    If the response is valid, the server MAY choose to deem that
    authentication has succeeded. However, if it has been too long since
    the previous authentication, or for any other reason, the server MAY
    send a new "digest-challenge" with a new value for nonce. The
    challenge MAY contain a "stale" directive with value "true", which
    says that the client may respond to the challenge using the password
    it used in the previous response; otherwise, the client must solicit
    the password anew from the user. This permits the server to make sure
    that the user has presented their password recently. (The directive
    name refers to the previous nonce being stale, not to the last use of
    the password.) Except for the handling of "stale", after sending the
    "digest-challenge" authentication proceeds as in the case of initial
    authentication.

-- 
Ticket URL: <http://developer.pidgin.im/ticket/2095#comment:11>
Pidgin <http://pidgin.im>
Pidgin

More information about the Tracker mailing list