disabling ssl for testing purposes

1,680 views
Skip to first unread message

Brendan Miller

unread,
Mar 13, 2012, 7:57:02 PM3/13/12
to Prosody IM Users
I have a prosody server on a private network that exists purely for
testing purposes. I want to make it super easy for wireshark and
tcpdump to listen in on traffic to this server, so I want to disable
ssl/tls. However, I've run into a problem.

in prosody.cfg.lua I commented out "saslauth" and "tls" in the modules
enabled field.

I've also made sure this is set:

c2s_require_encryption = false
s2s_require_encryption = false

However, when I try to conect to my server with pidgin I still get
this error back from prosody:

<error type='modify'><not-acceptable
xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/><text
xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'>Encryption (SSL or TLS) is
required to connect to this server</text></error>

Is there anything else I need to set before prosody will let me
connect unencrypted?

Thanks,
Brendan

Matthew Wild

unread,
Mar 13, 2012, 8:23:08 PM3/13/12
to prosod...@googlegroups.com
Hi Brendan,

On 13 March 2012 23:57, Brendan Miller <catp...@catphive.net> wrote:
> I have a prosody server on a private network that exists purely for
> testing purposes. I want to make it super easy for wireshark and
> tcpdump to listen in on traffic to this server, so I want to disable
> ssl/tls. However, I've run into a problem.
>
> in prosody.cfg.lua I commented out "saslauth" and "tls" in the modules
> enabled field.
>

You should only need to comment mod_tls. SASL authentication is
standard XMPP, the alternative is legacy authentication which many
modern clients won't support.

> I've also made sure this is set:
>
> c2s_require_encryption = false
> s2s_require_encryption = false
>

That's fine, but these are also the defaults.

> However, when I try to conect to my server with pidgin I still get
> this error back from prosody:
>
> <error type='modify'><not-acceptable
> xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'/><text
> xmlns='urn:ietf:params:xml:ns:xmpp-stanzas'>Encryption (SSL or TLS) is
> required to connect to this server</text></error>
>

I'm not sure why this would be. Re-enable mod_saslauth unless you
really want to use legacy auth (and in that case make sure
mod_legacyauth is enabled).

Oh, one idea just came to me... though Prosody doesn't *require*
encryption out of the box, it won't allow insecure mechanisms on an
unencrypted stream by default. The most common implementation of
legacy authentication is plaintext only, which is perhaps what's going
on. Set this:

allow_unencrypted_plain_auth = true

Restart Prosody fully after these changes (it's possible to apply
these changes dynamically, but while troubleshooting things a full
restart is safest).

If you're still stuck after this then post your config somewhere and
we can have a look at it.

Hope this helps,
Matthew

Reply all
Reply to author
Forward
0 new messages