[Pidgin] #17270: BOSH doesn't work, it should ignore STARTTLS

Pidgin trac at pidgin.im
Fri Nov 24 13:34:34 EST 2017 

#17270: BOSH doesn't work, it should ignore STARTTLS
------------------------+--------------------
 Reporter:  niconiconi  |      Owner:  deryni
     Type:  defect      |     Status:  new
Milestone:              |  Component:  XMPP
  Version:  2.12.0      |   Keywords:  BOSH
------------------------+--------------------
 I was trying to setup BOSH on my server, but it doesn't work. I have
 debugged for three hours, and it seems to be a bug in Pidgin.

 To reproduce the bug, you need a XMPP server with mandatory STARTTLS
 policy, and a HTTPS BOSH proxy. Filling the settings to Pidgin, and Pidgin
 fails to connect to the server when BOSH is used, with logs similar to the
 following.

 {{{
 certificate: Successfully verified certificate for example.com

 jabber: SendBOSH Boot (ssl):

 <body content='text/xml; charset=utf-8' secure='true' to='example.com'
 xml:lang='en' xmpp:version='1.0' ver='1.6' xmlns:xmpp='urn:xmpp:xbosh'
 rid='xxx'
 wait='60' hold='1' xmlns='http://jabber.org/protocol/httpbind'/>

 jabber: RecvBOSH (ssl):

 <body xmlns:stream='http://etherx.jabber.org/streams' xmpp:version='1.0'
 xmlns:xmpp='urn:xmpp:xbosh' ver='1.6' inactivity='300' requests='2'
 polling='5' secure='true'
 hold='1' from='example.com' authid='xxx' wait='60' sid='xxx'
 xmlns='http://jabber.org/protocol/httpbind'>
   <stream:features xmlns='jabber:client'>
     <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'>
       <required/>
     </starttls>
     <register xmlns='http://jabber.org/features/iq-register'/>
     <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>
       <mechanism>SCRAM-SHA-1</mechanism>
       <mechanism>PLAIN</mechanism>
     </mechanisms>
   </stream:features>
 </body>


 jabber: BOSH connection manager version 1.6
 jabber: Sending (ssl) (example at example.com):

 <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>

 jabber: BOSH: Sending an empty request

 (STUCK HERE UNTIL TIMEOUT)
 }}}

 It seems that Pidgin wants to establish a TLS connection with a STARTTLS
 request, but it doesn't make any sense, since the XMPP stream is proxied
 by the BOSH connection, which is already encrypted by HTTPS. It is
 impossible to STARTTLS with BOSH.

 According to XEP-0206: The client SHOULD ignore any Transport Layer
 Security (TLS) feature since BOSH channel encryption SHOULD be negotiated
 at the HTTP layer.

 Failing to do it causes Pidgin fails to create any connection with BOSH to
 any XMPP server with STARTTLS enabled.

--
Ticket URL: <https://developer.pidgin.im/ticket/17270>
Pidgin <https://pidgin.im>
Pidgin

More information about the Tracker mailing list