Up to Discussions in Openfire Support
1 Replies Last post: Nov 19, 2007 2:17 PM by slushpupie  
Hawke Bronze
Hawke
27 posts since
May 10, 2006
Currently Being Moderated

Nov 16, 2007 12:38 PM

security bug: openfire offers and negotiates SASL mechanisms over unencrypted connection

even if the server property xmpp.client.tls.policy is set to required, Openfire will offer sasl mechanisms, including plain.

 

PLAIN EXTERNAL GSSAPI If/when the client attempts to use one of the offered mechanisms, Openfire will proceed through the full sasl negotation, and then sends an empty stream:features tag: ]]>

 

It looks like several bugs here:

first, if tls is required OF should probably not be offering SASL mechanisms until starttls has been negotiated.

Second, if the client still attempts to use SASL over an unencrypted connection (when tls is required), OF should not negotiate (in particular, it should not indicate success for an SASL plain authentication attempt). 

Third, OF probably shouldn't be sending an empty stream:features tag. I would guess that the right thing to do would be to simply offer the starttls feature again -- or possibly close the stream.

Tags: bug, security, sasl
slushpupie KeyContributor
slushpupie
711 posts since
Jan 27, 2006
Currently Being Moderated
Nov 19, 2007 2:17 PM in response to: Hawke
Re: security bug: openfire offers and negotiates SASL mechanisms over unencrypted connection

Opened issue JM-1192 for this.

Report Abuse

More Like This

  • Retrieving data ...