What steps will reproduce the problem? 1. Connect to boese-ban.de server using SCRAM-SHA-1 What is the expected output? What do you see instead? I'm not sure if the problem is on client or server side, but I do not understand that went wrong. I expected proceed TLS, but got malformed-request, see log. Here is XMPP log https://gist.github.com/grigoryfedorov/9bb8370794f5bf8a24410a0cc563fb9d What version of the product are you using? On what operating system? I use Smack 4.2.0 on android 7.1.2 I tried to connect to several Prosody servers. Current one is boese-ban.de running Prosody 0.10 nightly build 358 (2017-03-07, 30309fd01d76) according to xmpp.net Please provide any additional information below. I have successfully authorized using same Smack 4.2.0 and SCRAM-SHA-1 on Ejabberd. I also successfully authorized to this server using other XMPP clients.

Cross reference to the related Smack thread: https://community.igniterealtime.org/thread/60166

The server is offering SCRAM-SHA-1-PLUS, ie channel binding. The client is sending a SASL message in the form of "y,,n=username,r=nonce". The "y" means "I support channel binding but I don't think you do". Per https://tools.ietf.org/html/rfc5802#section-6 > If the flag is set to "y" and the server supports channel > binding, the server MUST fail authentication. This is because > if the client sets the channel binding flag to "y", then the > client must have believed that the server did not support > channel binding -- if the server did in fact support channel > binding, then this is an indication that there has been a > downgrade attack (e.g., an attacker changed the server's > mechanism list to exclude the -PLUS suffixed SCRAM mechanism > name(s)). So, Prosody is doing the right thing here and it's either a Smack bug or you are subject to an attack.

• owner Zash
• tags Status-Invalid