[jdev] sasl plain again

Vinod Panicker vinod.p at gmail.com
Mon Apr 17 10:48:40 CDT 2006 

On 4/17/06, Adrian Adrian <flashbk2003 at yahoo.com> wrote:
> Hey,
>
>  I used a packet sniffer as you suggested and sadly I was able to see all
> packets, including the ones that came after the server said "proceed".
>  I then used a commercial  im client  and tried to sniff, and  this one
> worked as expected.  Everything after "proceed" was encrypted.
>
>  I don't get it. I wonder if this could be a platform issue (my application
> is based on flash player 8 so that's  actionscript virtual machine)  or if I
> misunderstood the tls plain authentication in the first place.
>
>  Here's my full comunication :
>
>  Client:
>  <?xml version="1.0"?><flash:stream to="myserver" xmlns="jabber:client"
> xmlns:flash="http://www.jabber.com/streams/flash"
> version="1.0">
>
>  Server:
>  <?xml version='1.0' encoding='UTF-8'?><flash:stream
> xmlns:flash="http://www.jabber.com/streams/flash"
> xmlns:stream="http://etherx.jabber.org/streams"
> xmlns="jabber:client" from="myserver" id="77241f23" xml:lang="en"
> version="1.0"><stream:features><starttls
> xmlns="urn:ietf:params:xml:ns:xmpp-tls"></starttls><mechanisms
> xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>CRAM-MD5</mechanism><mechanism>DIGEST-MD5</mechanism><mechanism>PLAIN</mechanism><mechanism>ANONYMOUS</mechanism></mechanisms><auth
> xmlns="http://jabber.org/features/iq-auth"/><register
> xmlns="http://jabber.org/features/iq-register"/></stream:features>
>
>  Client
>  <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
>
>  Server
>  <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
>
>  Client
>  <?xml version="1.0"?><flash:stream to="myserver" xmlns="jabber:client"
> xmlns:flash="http://www.jabber.com/streams/flash"
> version="1.0">
>
>  Server
>   <?xml version='1.0' encoding='UTF-8'?><flash:stream
> xmlns:flash="http://www.jabber.com/streams/flash"
> xmlns:stream="http://etherx.jabber.org/streams"
> xmlns="jabber:client" from="myserver" id="77241f23" xml:lang="en"
> version="1.0"><stream:features><starttls
> xmlns="urn:ietf:params:xml:ns:xmpp-tls"></starttls><mechanisms
> xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>CRAM-MD5</mechanism><mechanism>DIGEST-MD5</mechanism><mechanism>PLAIN</mechanism><mechanism>ANONYMOUS</mechanism></mechanisms><auth
> xmlns="http://jabber.org/features/iq-auth"/><register
> xmlns="http://jabber.org/features/iq-register"/></stream:features>

<snip/>

You can see above that on opening the new stream, the server is still
advertising <starttls/>

This means that the TLS negotiation did not take place at all.  What
you need to do at this step is to actually initiate the TLS/SSL
negotiation.  I dunno if that's possible with ActionScript.

Regards,
Vinod.

More information about the JDev mailing list