Error when connecting to server SSL certificate. #54

Basic information

TDE version: R14.1.0
Distribution: openSUSE Tumbleweed
Hardware: amd64

Description

Does not connect to an openfire xmpp server with the jabber protocol, when it is set up to use SSL.

When no SSL is used, it connects fine.

The error message which appears is:

"There was an error authenticating with the server: Login failed with unknown reason."

The server is currently supporting TLS v1.3 and v1.2, with STARTTLS encryption required.

Steps to reproduce

Create a new account with Jabber protocol.
Uncheck "Allow plain-text password authentication".
Go online.
Error occurs.

Hi @vjalmr,
what applications are you using?
If you use Kopete, the option to use SSL should be left off, as per description text. If you do, it works fine. If you enable that checkbox, you get exactly the error you described.

The SSL option is left off. I have uploaded some images of my settings.

If I connect with another client, it works just fine.

If I disable encryption on the server, it works fine in Kopete - but that kind of defeats the purpose.

2023-08-16-140359_506x655_scrot.png

43 KiB

2023-08-16-140351_506x655_scrot.png

43 KiB

2023-08-16-140409_506x655_scrot.png

35 KiB

2023-08-16-140404_506x655_scrot.png

39 KiB

Old protocol and old servers required connection on a separate port for use SSL. The new protocol uses one port and the client uses StartTLS after connecting to turn on encryption. It is currently likely that all servers require the client to use StartTLS, so always force encryption.

The SSL switch is in case of using an old protocol and it is therefore not desirable to turn it on. Therefore, there is a description at the switch with an explanation of why not turn this switch on.

@SlavekB: maybe it is time we change the description and add something like "old protocol only) in the checkbox text. What do you think?

Yes, it seems appropriate to change it so that it is not confusing. Perhaps the switch could be called: Use old protocol and SSL encryption

How about Use old style SSL encryption protocol?

How about Use old style SSL encryption protocol?

I cannot use old style SSL encryption as it is disabled on the server.

The server uses standard port 5222 with STARTTLS with required encryption. It uses a certified SSL certificate for this, and supports TLS v1.3 and 1.2.

If I was to turn on the "Use old style SSL encryption protocol", I get the error: "SSL support could not be initialized for account xxx@xxx.com. This is most likely because the TQCA TLS plugin is not installed on your system."

But this should be irrelevant, as this service is disabled on the server.

How about Use old style SSL encryption protocol?

I cannot use old style SSL encryption as it is disabled on the server.

I read this story and I think you misunderstood it. They are talking about changing the switch label.

Essentially it was said to leave this switch off

PR #55 changed the text and tooltip on that checkbox. IMO this issue can now be close.
@SlavekB @vjalmr do you agree with that?

PR #55 changed the text and tooltip on that checkbox. IMO this issue can now be close.
@SlavekB @vjalmr do you agree with that?

I do not agree. Changing the tooltip does not change the fact that connecting to a STARTTLS server on port 5222 with required encryption gives the error.

The SSL checkbox was never checked.

The only reason why I am mentioning SSL, is that the server has a certified SSL certificate.

connecting to a STARTTLS server on port 5222 with required encryption gives the error.

Ah, I had not understood clearly where the problem was. Is there a specific server we can use for testing?

connecting to a STARTTLS server on port 5222 with required encryption gives the error.

Ah, I had not understood clearly where the problem was. Is there a specific server we can use for testing?

I have created a user:

tde-guest@romphousing.com
pass: guest

Let me know if there is anything I can do to assist.

I tried to connect with the above user/server using Kopete and trying various setup, but all failed (although I get asked about the server certificate, so some communication gets established).
I then decided to try connecting using gajim, but again I can't connect either (see screenshot)
Am I missing something/doing something not right?

gajim-romphousing.png

53 KiB

I tried to connect with the above user/server using Kopete and trying various setup, but all failed (although I get asked about the server certificate, so some communication gets established).
I then decided to try connecting using gajim, but again I can't connect either (see screenshot)
Am I missing something/doing something not right?

This is strange. I can connect with gajim, pidgin, and several iOS apps.

I just connected with the test account with pidgin, no issues.

Tried pidgin too, I get "tde-guest@romphousing.com/ disconnected" and "Server closed the connection". Maybe you can share your settings in case I am using some different config?

In Pidgin:

Basic

Protocol: XMPP
Username: tde-test
Domain: romphousing.com
Resource:
Password: guest

Advanced

Connection security: Require Encryption
Allow plaintext auth over unencrypted streams: unchecked
Connect port: 5222
Connect server:
File transfer proxies:
BOSH URL:

Proxy

Proxy type: User global proxy settings

ah! tde-test, not tde-guest (as per first post). Let me retest!

with tde-test, gajim and pigdin works fine. kopete does not, so definitely something to look at. The comment under the "override default server configuration" gives a strong indication of why the connection does not work in kopete.

Temporarily removing from R14.1.1 milestone, this may take a while to fix. But added to one of my todo lists.