Converse.js - Prosody bosh not offering supported authentication mechanism - converse.js

Converse.js successfully makes requests to Prosody bosh but the chat client never actually connects. In the console I can see it hitting the bosh endpoint and after each request it outputs to the console:
"Server did not yet offer a supported authentication mechanism. Sending a blank poll request."
I can hit the bosh endpoint from my browser as well, the proxy pass appears to be working as intended and bosh is running and responding to requests.
Any insight is much appreciated.

I came across this issue as well while using the fullpage demo. The problem was because Prosody was forcing encrypted authentication only for client side.
I recommend going into the config file /etc/prosody/prosody.cfg.lua
Look for the code
-- Force clients to use encrypted connections? This option will
-- prevent clients from authenticating unless they are using encryption.
c2s_require_encryption = true
By default for me this was set to true, change this to false
c2s_require_encryption = false
save it and reboot Prosody
systemctl restart prosody
you could also do
prosodyctl restart

The error message is quite clear. Prosody is not offering a SASL authentication mechanism supported by Converse.
By default Converse supports SCRAM-SHA1, DIGEST-MD5 and PLAIN.
Your XMPP server needs to support one of these.

Related

Consequences of enabling TLS

Running an Exchange 2003 setup and have been asked by one of our clients to enable TLS. I understand the concept and reasoning for this. However, my question is what consequences making this change to our server will have on all other clients that don't have TLS enabled on client side? Or is this a non issue? Basically will the mail still flow in cases where TLS isn't activated?
Any insight would be appreciated.
TLS will only be enabled on the connection if both sides support it. Otherwise, in most cases, the message will be delivered in plain text, without encryption. However, there are some MTA's that are configured to abort the connection if the other side does not support TLS, or if the certificate check fails.

IRC and SASL Authentication

I'm building an IRC client and am currently attempting to add SASL support. I have got it working just fine (authentication works), however, there's an annoying "glitch":
As I've understood, the SASL request must be done BEFORE registration, like so:
if (sasl) {
send("CAP REQ :sasl");
}
send("NICK: " + nick);
send("USER ....");
Now the annoying little thing is that the SASL request causes the IRC server to send back an ERR_NOTREGISTERED (451) reply. Now I could of course just ignore the very first 451 reply if SASL is enabled, but that seems a bit nasty. Am I missing something here?
Well, SASL on IRC is based on the Client CAPability Negotiation.
According to this specification you send a CAP LS at the beginning, after this you send the USER and NICK. If you recive a CAP response before the end of the motd/motd missing, the server supports CAP. Check if SASL is on the list of supported extensions, and request it.
If you get the end of motd/motd missing first, the server does not support CAP, and therefore does not support SASL.

Need to run a cron job as encrypted

I need to setup a cron job to run a SOAP client. The customer insists that I connect to their web service (on an https address) from an https address. They insist that if I don't their response to me can't be encrypted.
My first question is, is that true? I thought that as long as I'm connecting to their SOAP service over https, the response back would automatically be encrypted.
If that's true, how can I run a cron job to be as https? My site is on a LAMP setup with cPanel access.
Thank you in advance for your help!
Your customers statement seems to be a little bit unclear in what he/she specifically means by "... connecting from an https adress" as there isn't any notion of the term "https adress" in the specs and https URLS only seem to make sense in the context of Request-URI s given in a https request.
Given this unclarity I'm only wild guessing. Nevertheless to me it seems your clients requirements might most probably not be connected to the http protocol but rather to establishing your TLS connection.
If your client is very sensitive in respect to the security of his system - which in fact if he intends to offer RPC requests might be a very good idea - he might not want to the whole world to be able to connect an encrypted connection to his machines and rely on any secondary authentication mechanism once the connection has been established.
As most users of the public internet don't have any certificates signed by a trusted authority this feature it isn't used out in the open wild but besides server authentication the TLS handshake protocol also provides a means of client authentication via client certificates (the relevant part being section 7 in RFC 5246 here. see: https://www.rfc-editor.org/rfc/rfc5246#section-7)
While in the absence of widely used client certificates web services usually rely on establishing an encryted connection to first to authenticate users by some kind of challange response test like querying for username and password your client might want to either additionally secure access to his machines by additionally requiring a valid client certificate or even - probably not the best idea - replace a second authorization like the one already mentioned above.
Nevertheless all this are nothing but some ideas that I came along with given the riddle in your question.
Most probably the best idea might be to just ask your client what he/she meant when saying "... connecting from an https adress"

XMPP over BOSH - jappix.com replies always with empty body

I am implementing XMPP service in the browser using BOSH. I use JAXL library. I am able to manage the connection over BOSH to my localhost server (ejabberd). The session is started and the user is authenticated with no problem. However, when I just change the BOSH host to jappix.com, the very first response from the server is only empty body. Even if I repeat the request (according to XEP-206) I still get only empty body so I'm unable to perform any other actions.
So that's my question: Is it possible to use jappix.com to handle my BOSH requests? Are there any limitations? How can I fix this issue? I'll provide more information if needed.
I am the Jappix.com owner!
Your question does not concern our service directly but more likely a node-xmpp-bosh - the BOSH server we are running - bug (?) that you can report on http://code.google.com/p/node-xmpp-bosh/

stunnel on window for IBM MQ connection

Does anyone have an experience or just thoughts about securing MQ TCP
communication channels using stunnel?
I am integration with third party S.W which has MQ support built in but it can not support SSL. So to have some kind of security over the TCP we would like to use stunnel. Does any one have any thoughts how to implement and any best practices
I haven't used stunnel so I'll leave that part of the answer to another responder. With regard to WMQ, keep in mind that this will provide you with data privacy and data integrity over the stunnel link but will not give you channel-level services such as WMQ authentication. True, you will have some level of authentication on the stunnel connection itself, but anyone with a TCP route to the QMgr that does not arrive via stunnel will also be able to start that channel.
Your requirement for security obviously includes data privacy. If it also includes authentication and authorization, you might need to use something like BlockIP2 (from http://mrmq.dk )to filter incoming connections on that channel by IP address to insure they arrive over the stunnel link. Of course, there is nothing to prevent someone at the remote end from specifying any channel name to connect to so if you secure one channel, you need to secure them all - i.e. make sure that SYSTEM.DEF.* and SYSTEM.AUTO.* channels are disabled or that they use SSL and/or an exit to authenticate the inbound connection.
Finally, be aware that if WMQ is configured to accept the ID presented by the client then the connection has full administrative access and that includes remote code execution. To prevent this you must configure all inbound channels (RCVR, RQSTR, CLUSRCVR and SVRCONN) that are not administrative with a low-privileged ID in the channel's MCAUSER. For any channels that are intended for administrators, authenticate these with SSL. (Hopefully your 3rd party SW is an application and not an administrative tool! Any WMQ admin tool must support SSL or else don't use it!)
So by all means use stunnel to secure this link, just be sure to secure the rest of the QMgr or else anyone who can legitimately connect (or even anonymous remote users if you leave MCAUSER blank and aren't using SSL and/or exits) will just bypass the security or disable it.
There's a copy of the IMPACT presentation Hardening WMQ Security at https://t-rob.net/links/ which explains all this in more detail.
Rob - I agree with you. For that only we have MQIPT. Which is much better. For STunnel for MQ i have sloved the problem.
Keys -U need a .pem key (From Key manager you can create .p12 and use open ssl to covert to .PEM).
Client Side: Download and install stunnel have followoling entries in the config file
cert = XXX.pem
client = yes
[MQ]
accept = 1415
connect = DestinationIP:1415
Server Side:
cert = xxx.pem
client = no
[MQ]
accept = 1415
connect = MQIP:1415
Once you do this all you have do is just call the amquputc with the Queue name.