Openfire, MD5-Digest, Psi, Pidgin

I’m running my own personal Jabber server, using Openfire, which I recently switched to a setup using SRV records. So while the JID-Domain would be @foo.com, the server is actually running on jabber.foo.com (I also used that opportunity to upgrade to the latest version of Openfire, 3.5.1).

Connecting with Psi, which I use myself, works fine. Unfortunately, it soon turns out that Pidgin (which, as luck has it, one of my users insists on) isn’t quite has happy with the new status quo and fails on login with “Not Authorized”. Some googling suggests setting xmpp.fqdn in Openfire to the actual server host name, jabber.foo.com). And indeed, that looked like the solution – but not for long, because now Psi tells me “Not Authorized”. Comical, in a way.

So here’s what appears to be happening:

  • Openfire offers DIGEST-MD5 auth, which both Pidgin and Psi pick up.
  • Decoding the challenge response from both clients reveals:
    • Pidgin sets the digest-uri field to xmpp/jabber.foo.com (i.e. it uses the hostname resolved via the SRV records)
    • Psi sets digest-uri to xmpp/foo.com (i.e. it uses the JID domain)
  • Openfire expects xmpp.fqdn (jabber.foo.com) if set, or xmpp.domain (foo.com) otherwise. If there is a mismatch, it sends non-authorized.

Apparently neither shall work while the other … – or something like that. Note that I also tried meebo and Spark, both of which work with either configuration.

Now there are tickets about this in the Pidgin tracker (5008, 5149, 5161, all closed as invalid), and a thread in the Openfire forums (with no resolution). I wasn’t able to find much on the Psi side, shy of possibly a few mentions in older IRC logs. Nothing conclusive.

I am a bit confused that there appears to be no solution, since this shouldn’t be such and exotic situation I have here. For now, I configured Openfire to only allow PLAIN auth (over SSL though), which you can do by inserting this in your ./conf/openfire.xml:

<sasl><mechs>PLAIN</mechs></sasl>

Note that the tag is named <mechs>, not <mechanisms>. The latter seems to be suggested at times in the forums, but won’t work (not for me anyway).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s