#1006 prosody 0.10 does not handle s2s SASL EXTERNAL error gracefully

Reporter Stefan Haller
Owner Nobody
Stars ★★★ (3)  
  • Status-New
  • Priority-Medium
  • Type-Defect
  1. Stefan Haller on

    What steps will reproduce the problem? 1. use self-signed certificate (or otherwise "invalid" cert, e.g. CACert as it got removed from Debian's default CA list) 2. establish s2s connection to server offering SASL EXTERNAL What is the expected output? Some other authentication mechanism than "EXTERNAL" succeeds. What do you see instead? Prosody is closing the connection after receiving an error from the remote side. What version of the product are you using? On what operating system? prosody-0.10, Debian stretch Please provide any additional information below. I don't know what the correct behaviour would be. According to [XEP-0178][0] the EXTERNAL authentication should fail if the certificate can not be validated. On the other hand a [discussion on a mailing list][1] indicates that EXTERNAL should only be offered by the remote server if the certificate has been validated successfully. Unfortunately, prosody can change the behaviour of the remote server and at least ejabberd offers "EXTERNAL" unconditionally and fails after validating the certificate. Prior to prosody-0.10 everything worked, because prosody was falling back to dns dialback. This fallback was removed in changeset [2]. [0]: https://xmpp.org/extensions/xep-0178.html [1]: https://mail.jabber.org/pipermail/standards/2007-January/013594.html [2]: https://hg.prosody.im/0.10/rev/89c42aff8510

New comment