doubt reg. TLS and GSSAPI
rahul at synovel.com
Fri Apr 18 10:56:47 EDT 2008
Thanks for the reply.
I am aware of what you have already mentioned. Like I already said, I
have visited that thread where in it is clearly mentioned that for
pidgin version >= 2.4.0 if the Connect Server is specified (and yes I
have given hostname and not IP address), then that would be considered
instead of domain for GSSAPI authentication. But I wonder why in my case
it is checking against domain. I think I'll get back to this and test
again later as there are a few other pending tasks currently.
Thanks for the support once again. And yeah, Pidgin rocks !!! :).
Etan Reisner wrote:
> On Sat, Apr 12, 2008 at 03:45:47PM +0530, Rahul Amaram wrote:
>> Hi Etan,
>> Thanks for the reply. I am not sure why you have felt that I have not
>> tried pidgin (I feel it must have been evident from my mail that I tried
>> pidgin). To be frank, I have been trying for about 4 days now to set up
>> pidgin + jabberd2 with GSSAPI authentication and TLS and have not
>> succeeded yet :).
> Then I apologize for my mistake. Generally, at least in my experience,
> when one comments on having "doubts" that indicates a lack of real
> knowledge (and thus indicates no personal testing).
>> Anyway, here is what I observed. As already mentioned, my set up is
>> something similar as below:
>> Domain name: company.com
>> Connect Server: jabber.example.com (192.168.36.100)
>> Connect Port: 5222
> You actually have 'jabber.example.com' in the Connect Server box and not
> the IP address, right? They should both work they just are handled
> internally by pidgin differently later on.
>> Initially company.com is not resolvable.
>> # ping company.com
>> ping: unknown host company.com
>> Now when, I connect using non-GSSAPI authentication, it works. But when
>> I try using GSSAPI I get the error
>> GSSAPI Error: An invalid name was supplied (Unknown code krb5 216)
>> Next I modified /etc/hosts and gave the below mapping to "company.com".
>> 192.168.36.1 company.com
>> Now I observed that when I run pidgin, it was trying to fetch ticket for
>> the principal xmpp/company.com (knew this by observing the kdc logs).
> This is why I asked about what exactly is in the Connect Server box above,
> pidgin 2.4.1 *should* be using the Connect Server if the Connect Server is
> a hostname and not an IP address.
>> Now finally I modified the entry in /etc/hosts as below.
>> 192.168.36.100 jabber.example.com company.com
>> And now when I ran pidgin, it properly got the ticket for
>> Also when I ran ping company.com it gave me the below response (as
>> expected because of the above entry in /etc/hosts).
>> # ping company.com
>> PING jabber.example.com (192.168.36.100) 56(84) bytes of data.
>> 64 bytes from jabber.example.com (192.168.36.100): icmp_seq=1
>> ttl=64 time=4.43 ms
>> All this has made me to conclude that pidgin is working by resolving the
>> domain name "company.com" first and then doing a reverse look-up. But
>> this is quite contrary to the behaviour mentioned in
> pidgin does resolve the Domain, but it shouldn't be doing that when a
> Connect Server is specified.
>> Therefore I am wondering if the above thread holds good for only
>> hostnames got through DNS SRV entires and not for the hostname used in
>> "Connect Server" field.
>> Apart from this, I would also like to know if there is any way I can
>> study the certificates which pidgin receives when establishing
>> connection to the jabber server. I have been studying the messages in
>> the Debug window but couldn't find any useful information there. I have
>> also seen that no certificates are saved in
>> ~/.purple/certificates/x509/tls_peers/ (I think older versions of pidgin
>> used to save the certificates here).
> Depending on what you want to see about the certificates and assuming your
> server has the old-ssl port (5223) open you can use "openssl s_client
> -host jabber.example.com -port 5223" to force an ssl connection at which
> point openssl will dump the cert data out at you.
>> I am running piding on debian etch. The version is 2.4.1 compiled from
>> the source. The source compilation command being:
>> # ./configure --prefix=/opt/pidgin --enable-cyrus-sasl
>> And I am using openfire as GSSAPI support seems to be bad in jabberd2.
>> And lastly, are there any other xmpp clients apart from pidgin you are
>> aware of which are known to have implemented GSSAPI properly?
> No, sorry.
>> Any help would be appreciated !
>> Thanks and Regards,
> Sorry it took so long to reply.
More information about the Support