question about SSL/ allow plain text Auth over unencrypted streams

Paul Aurich darkrain42 at pidgin.im
Thu Oct 14 23:32:29 EDT 2010


On 2010-10-14 11:30, ajith kumar wrote:
> Hello All ,
> 
> Pidgin version : 2.6.1 ( libpurple 2.6.1)
> 
> Connecting to my server using XMPP protocol .
> 
> Problem :
> 
>  On version 2.6.1 , When i create my account , under advanced settings
> we are advised usually to check/enable "require SSL/TLS"  to connect
> to our server since our server supports only SASL authentication
> Mechanism .  When we choose (check) "allow plain text Auth over
> unencrypted streams" we wont get connected .

The "Require SSL/TLS" option doesn't have positive effects.  That is to
say, turning it on will not enable an account to connect that will not
connect when the option is off.  All this option does is generate a
connection error if TLS is not able to be negotiated.

Similarly (but oppositely), the "Allow plaintext authentication over
unencrypted streams" should not actually *break* a connection where it
was working previously; it will only enable a connection to try unsecure
authentication methods (see answer to your question below).

>  Now on pidgin version 2.7.3 , If i do the same operation "allow plain
> text Auth over unencrypted streams " i am able to connect to my
> server. As per my understanding plain text authentication Mechanism is
> not supported .
> 
> Questions:
>  1) what does "allow plain text Auth over unencrypted streams "
> exactly Means ? Does it mean we supply username/passwd in clear text
> to server ? or its kind of again a SSL mechanism option?

It means you're sending your password in plaintext (or a
plaintext-equivalent) over an unsecure line.  That is to say, anyone who
can see your network data now knows your username and password.

> 
> 2) What is there is difference between pidgin 2.6.1 and 2.7.3 when we
> have the same settings in place ? One is trying to connect while other
> is not ?

There should be no substantive difference in the functioning of these
two versions when it comes to the application of the aforementioned
configuration settings.

> This will help us to correct the setting on our server if it is really
> alllowing for plain text or is it a bug ?

What server is this?  The Help->Debug Window output from both Pidgin
2.6.1 and Pidgin 2.7.3 connecting would be highly useful, because Pidgin
just shouldn't be operating the way you've described.

~Paul

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <http://pidgin.im/pipermail/support/attachments/20101014/4e8e7e5b/attachment.pgp>


More information about the Support mailing list