Estou tentando conectar-me ao nosso servidor XMPP interno usando o piding no Arch Linux, mas sempre recebo SSL Handshake Failed
error no Pidgin.
Estas são as linhas de erro que recebo ao executar pidgin -d
:
(10:52:25) jabber: Sending (user@host): <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
(10:52:25) jabber: Recv (50): <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
(10:52:25) nss: Handshake failed (-12173)
(10:52:25) connection: Connection error on 0x16385f0 (reason: 5 description: SSL Handshake Failed)
(10:52:25) account: Disconnecting account user@host/ (0x1820c60)
Eu procurei por esse erro nss e encontrei aqui que esse erro significa que o servidor está usando algum tipo de troca de chave insegura (suponho).
De qualquer forma, eu tentei ssltap -s -p 5222 host:5222
e apontei o Pidgin para localhost:5222
para obter o log de handshake, e é isso:
Connected to HOST:5222
--> [
<?xml version='1.0' ?><stream:stream to='HOST' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>]
<-- [
<?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="HOST" id="7d2b1460" xml:lang="en" version="1.0">]
<-- [
<stream:features><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required/></starttls><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>PLAIN</mechanism></mechanisms></stream:features>]
--> [
<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>]
<-- [
<proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>]
--> [
(151 bytes of 146)
SSLRecord { [Wed Feb 24 10:44:10 2016]
type = 22 (handshake)
version = { 3,1 }
length = 146 (0x92)
handshake {
type = 1 (client_hello)
length = 142 (0x00008e)
ClientHelloV3 {
client_version = {3, 3}
random = {...}
session ID = {
length = 0
contents = {...}
}
cipher_suites[17] = {
(0xc02b) TLS/ECDHE-ECDSA/AES128-GCM/SHA256
(0xc02f) TLS/ECDHE-RSA/AES128-GCM/SHA256
(0xc00a) TLS/ECDHE-ECDSA/AES256-CBC/SHA
(0xc009) TLS/ECDHE-ECDSA/AES128-CBC/SHA
(0xc013) TLS/ECDHE-RSA/AES128-CBC/SHA
(0xc027) TLS/ECDHE-RSA/AES128-CBC/SHA256
(0xc014) TLS/ECDHE-RSA/AES256-CBC/SHA
(0xc007) TLS/ECDHE-ECDSA/RC4-128/SHA
(0xc011) TLS/ECDHE-RSA/RC4-128/SHA
(0x009e) TLS/DHE-RSA/AES128-GCM/SHA256
(0x0033) TLS/DHE-RSA/AES128-CBC/SHA
(0x0032) TLS/DHE-DSS/AES128-CBC/SHA
(0x0067) TLS/DHE-RSA/AES128-CBC/SHA256
(0x0039) TLS/DHE-RSA/AES256-CBC/SHA
(0x006b) TLS/DHE-RSA/AES256-CBC/SHA256
(0x002f) TLS/RSA/AES128-CBC/SHA
(0x0035) TLS/RSA/AES256-CBC/SHA
}
compression[1] = {
(00) NULL
}
extensions[67] = {
extension type server_name, length [14] = {
0: 00 0c 00 00 09 6c 6f 63 61 6c 68 6f 73 74 | .....localhost
}
extension type renegotiation_info, length [1] = {
0: 00 | .
}
extension type elliptic_curves, length [8] = {
0: 00 06 00 17 00 18 00 19 | ........
}
extension type ec_point_formats, length [2] = {
0: 01 00 | ..
}
extension type signature_algorithms, length [22] = {
0: 00 14 04 01 05 01 06 01 02 01 04 03 05 03 06 03 | ................
10: 02 03 04 02 02 02 | ......
}
}
}
}
}
]
<-- [
(2778 bytes of 2773)
SSLRecord { [Wed Feb 24 10:44:10 2016]
type = 22 (handshake)
version = { 3,1 }
length = 2773 (0xad5)
handshake {
type = 2 (server_hello)
length = 70 (0x000046)
ServerHello {
server_version = {3, 1}
random = {...}
session ID = {
length = 32
contents = {...}
}
cipher_suite = (0x0033) TLS/DHE-RSA/AES128-CBC/SHA
compression method = (00) NULL
}
type = 11 (certificate)
length = 2135 (0x000857)
CertificateChain {
chainlength = 2132 (0x0854)
Certificate {
size = 925 (0x039d)
data = { saved in file 'cert.001' }
}
Certificate {
size = 1201 (0x04b1)
data = { saved in file 'cert.002' }
}
}
type = 12 (server_key_exchange)
length = 552 (0x000228)
type = 14 (server_hello_done)
length = 0 (0x000000)
}
}
]
--> [
(7 bytes of 2)
SSLRecord { [Wed Feb 24 10:44:10 2016]
type = 21 (alert)
version = { 3,1 }
length = 2 (0x2)
fatal: illegal_parameter
}
]
Read EOF on Client socket. [Wed Feb 24 10:44:10 2016]
Read EOF on Server socket. [Wed Feb 24 10:44:10 2016]
Parece que o servidor e o cliente concordaram com TLS/DHE-RSA/AES128-CBC/SHA
, mas o cliente falhou. É isso? Eu adicionei cert.001
e cert.002
aos Certificados no Pidgin, mas isso não ajuda.
Como é um servidor interno, não preciso da segurança e não me importo com isso. Eu modifiquei a configuração da conta no Pidgin para Use encryption if available
e também Allow plaintext auth over unencrypted streams
, mas isso não funciona.
Qualquer ajuda sobre como fazer o Pidgin (ou NSS) aceitar meu servidor é muito apreciada.
Saída de pidgin --version
Pidgin 2.10.12 (libpurple 2.10.12)
Saída de pacman -Qi nss
Name : nss
Version : 3.22-1
Description : Mozilla Network Security Services
Architecture : x86_64
URL : http://www.mozilla.org/projects/security/pki/nss/
Licenses : MPL GPL
Groups : None
Provides : None
Depends On : nspr>=4.10.10 sqlite zlib sh p11-kit
Optional Deps : None
Required By : atom-editor firefox jre8-openjdk-headless libnm-glib libpurple qca-qt4 qca-qt5
Optional For : None
Conflicts With : None
Replaces : None
Installed Size : 5.80 MiB
Packager : Jan Alexander Steffens (heftig) <[email protected]>
Build Date : Fri Feb 5 15:09:40 2016
Install Date : Mon Feb 22 17:13:39 2016
Install Reason : Installed as a dependency for another package
Install Script : Yes
Validated By : Signature
EDITAR :
Esqueci de mencionar que não tenho acesso ao servidor, por isso não posso alterar nada lá.
Tags pidgin nss arch-linux