AnsweredAssumed Answered

Smack 4.1.0 X.509 Mutual Authentication

Question asked by Timothy K Taylor on May 28, 2015
Latest reply on Jun 10, 2015 by Timothy K Taylor

Context: Using smack 4.1.0 in client to connect to openfire 3.9.3 server configured with xmpp.client.cert.policy=needed, sasl.mechs=EXTERNAL.  Client and server trust set up and appear to authenticate.

 

Problem: With a smartcard, the TLS Handshake does not complete on server side.  Client performs its CertificateVerify (signed secret and prior messages), ciphersuite and finished messages but server never responds with its own ciphersuite and finished messages.  Instead I NoResponse Timeouts in SmackException. 

 

Psuedo-summary: I will post my code if requested but first I thought I would describe what it's doing and just post the part of interest.

1. Using a test class with main() method.

2. Create a KeyStore based on softoken (scenario 1) and  MSCAPI "Windows-MY" (scenario 2) and initialize with KeyManagerFactory

3. Use a jssecacerts in %JAVA_HOME%/lib/security truststore (for now)

4. Use an X509ExtendedKeyManager to select alias (chooseClientAlias() in scenario 2 KeyManager and authenticate with smartcard.

5. Create a custom SSLContext to initialize my custom KeyManager (array of 1).

6. Use the XMPPTCPConnectionConfiguration.builder() to construct details of connection including my custom SSLContext and SecurityMode.required

7. Instantiate an AbstractXMPPTCPConnection using the configuration I build in #6

8. connect().

9. disconnect().

 

Scenario 1: Softoken (filesystem KeyStore) authentication output

01:27:46 PM SENT (0): <stream:stream xmlns='jabber:client' to='example.com' xmlns:stream='http://etherx.jabber.org/streams' version='1.0' xml:lang='en'>

01:27:46 PM RECV (0): <?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="example.com" id="67bad334" xml:lang="en" version="1.0"><stream:features><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required/></starttls><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>EXTERNAL</mechanism></mecha nisms></stream:features>

01:27:46 PM SENT (0): <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'></starttls>

01:27:46 PM RECV (0): <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>

01:27:46 PM SENT (0): <stream:stream xmlns='jabber:client' to='example.com' xmlns:stream='http://etherx.jabber.org/streams' version='1.0' xml:lang='en'>

01:27:46 PM RECV (0): <?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="example.com" id="67bad334" xml:lang="en" version="1.0"><stream:features><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>EXTERNAL</mechanism></mecha nisms><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression><auth xmlns="http://jabber.org/features/iq-auth"/><register xmlns="http://jabber.org/features/iq-register"/></stream:features>

01:27:46 PM SENT (0): <presence id='7R8st-3' type='unavailable'><c xmlns='http://jabber.org/protocol/caps' hash='sha-1' node='http://www.igniterealtime.org/projects/smack' ver='NfJ3flI83zSdUDzCEICtbypursw='/></presence>

01:27:46 PM SENT (0): </stream:stream>

 

Scenario 2: Smartcard (through Windows-MY) authentication output

01:34:55 PM SENT (0): <stream:stream xmlns='jabber:client' to='example.com' xmlns:stream='http://etherx.jabber.org/streams' version='1.0' xml:lang='en'>

01:34:55 PM RECV (0): <?xml version='1.0' encoding='UTF-8'?><stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="example.com" id="c5d2996e" xml:lang="en" version="1.0">

01:34:55 PM RECV (0): <stream:features><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required/></starttls><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>EXTERNAL</mechanism></mecha nisms></stream:features>

01:34:55 PM SENT (0): <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'></starttls>

01:34:55 PM RECV (0): <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>

 

org.jivesoftware.smack.SmackException$NoResponseException: No response received within reply timeout. Timeout was 5000ms (~5s). Used filter: No filter used or filter was 'null'.

  at org.jivesoftware.smack.SmackException$NoResponseException.newWith(SmackExceptio n.java:106)

  at org.jivesoftware.smack.SmackException$NoResponseException.newWith(SmackExceptio n.java:85)

  at org.jivesoftware.smack.SynchronizationPoint.checkForResponse(SynchronizationPoi nt.java:192)

  at org.jivesoftware.smack.SynchronizationPoint.checkIfSuccessOrWait(Synchronizatio nPoint.java:114)

  at org.jivesoftware.smack.SynchronizationPoint.checkIfSuccessOrWaitOrThrow(Synchro nizationPoint.java:97)

  at org.jivesoftware.smack.tcp.XMPPTCPConnection.connectInternal(XMPPTCPConnection. java:837)

  at org.jivesoftware.smack.AbstractXMPPConnection.connect(AbstractXMPPConnection.ja va:360)

  at pke4chat.TestProtoType.main(TestProtoType.java:84)

 

01:35:00 PM SENT (0): <presence id='15hy5-3' type='unavailable'><c xmlns='http://jabber.org/protocol/caps' hash='sha-1' node='http://www.igniterealtime.org/projects/smack' ver='NfJ3flI83zSdUDzCEICtbypursw='/></presence>

 

May 28, 2015 1:35:05 PM org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketWriter shutdown

WARNING: shutdownDone was not marked as successful by the writer thread

org.jivesoftware.smack.SmackException$NoResponseException: No response received within reply timeout. Timeout was 5000ms (~5s). Used filter: No filter used or filter was 'null'.

  at org.jivesoftware.smack.SmackException$NoResponseException.newWith(SmackExceptio n.java:106)

  at org.jivesoftware.smack.SmackException$NoResponseException.newWith(SmackExceptio n.java:85)

  at org.jivesoftware.smack.SynchronizationPoint.checkForResponse(SynchronizationPoi nt.java:192)

  at org.jivesoftware.smack.SynchronizationPoint.checkIfSuccessOrWait(Synchronizatio nPoint.java:114)

  at org.jivesoftware.smack.tcp.XMPPTCPConnection$PacketWriter.shutdown(XMPPTCPConne ction.java:1265)

  at org.jivesoftware.smack.tcp.XMPPTCPConnection.shutdown(XMPPTCPConnection.java:49 4)

  at org.jivesoftware.smack.tcp.XMPPTCPConnection.shutdown(XMPPTCPConnection.java:47 6)

  at org.jivesoftware.smack.AbstractXMPPConnection.disconnect(AbstractXMPPConnection .java:666)

  at org.jivesoftware.smack.AbstractXMPPConnection.disconnect(AbstractXMPPConnection .java:646)

  at pke4chat.TestProtoType.main(TestProtoType.java:108)

 

The Big Question:  What can be causing the SmackException$NoResponseException?

 

Stabbing in the dark...

1. increasing packetReply timeout made no difference

2. while I wait for any replies (Flow?), I will move my alias selection to a callback handler implementation.  Right now it is all coded within the custom KeyManager.

 

Thanks in advance.

 

regards,

tt

Outcomes