OpenSRF: XMPP Non-SASL auth is being phased out
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Evergreen |
Confirmed
|
Medium
|
Unassigned | ||
OpenSRF |
Confirmed
|
Medium
|
Unassigned |
Bug Description
OpenSRF uses XMPP's "non-SASL authentication" as described in XEP-0078:
https:/
This is obsolete, it uses plain-text and while it seems to be used in the wild by XMPP clients, XMPP server developers are gradually phasing it out.
with around ejabberd v17.02, ejabberd disabled non-SASL authentication by default. It must be enabled in the config file by adding a plugin to the plugins section:
mod_legacy_auth: {}
However there is a bug in some early versions of v17 which prevents legacy_auth from working at all:
https:/
I suspect the fix in that issue should resolve the problem in ejabberd v17.06 or 17.07 but I haven't been able to test yet.
Major linux distros aren't using v17 yet as far as I can tell anyway, and hopefully they will skip over this bug.
Once people start using distros with v17, they'll need to add "mod_legacy_auth: {}" to the ejabberd.yml, presuming the distro maintainers don't add it.
However, I think this is also a longer-term technical debt issue as well.
Another major XMPP server Openfire (not used by the OpenSRF community) also removed this in 2016 and relegated it to a plugin:
https:/
https:/
It seems like this authentication is being phased out (it has already been considered an "obsolete" standard for nearly 10 years)
affects: | evergreen → opensrf |
affects: | opensrf → evergreen |
Changed in opensrf: | |
assignee: | nobody → Jason Stephenson (jstephenson) |
status: | Confirmed → In Progress |
Changed in opensrf: | |
status: | In Progress → Confirmed |
assignee: | Jason Stephenson (jstephenson) → nobody |
Well, Ubuntu 18.04 is going to use a newer ejabberd that has the legacy auth disabled by default. Adding the directive here does not get us all the way around the problem though. There's a lot of areas in the design where the authentication just really does not like us using plain text. Still testing with OpenSRF master and Ubuntu 18.04 at the moment and gathering information.
But marking this bug confirmed.