Client disconnected: wrong version number
954 views
Skip to first unread message
shm...@riseup.net
Jul 20, 2014, 4:35:55 AM7/20/14
to prosod...@googlegroups.com
im running prosody from the prosody jessie repo & im new to prosody
im connecting from chatsecure android 13.2.0-alpha-9
there are common ciphers available BTW server/android
my ssl cert is not RSA - its ECDSA sha384 in a pure ECC chain
there's no problem syslog output for the cert
ive explicitly defined ssl-params for ciphers, dhparam, protocol
these connect fine showing the cert
openssl s_client -starttls xmpp -connect example.com:5269
openssl s_client -starttls xmpp -connect example.com:5222
please help out with the debug below...
thanks for any solutions
Jul 20 17:23:54 socket debug accepted incoming client connection
from: 1.2.3.4 8987 to 5222
Jul 20 17:23:54 c2s276a100 info Client connected
Jul 20 17:23:55 c2s276a100 debug Client sent opening
<stream:stream> to example.com
Jul 20 17:23:55 c2s276a100 debug Sent reply <stream:stream> to client
Jul 20 17:23:56 c2s276a100 debug Received[c2s_unauthed]:
<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'>
Jul 20 17:23:56 socket debug try to start ssl at client id: 27647b0
Jul 20 17:23:56 socket debug ssl session delayed until writebuffer is
empty...
Jul 20 17:23:56 c2s276a100 debug TLS negotiation started for
c2s_unauthed...
Jul 20 17:23:56 socket debug starting ssl handshake after writing
Jul 20 17:23:56 socket debug starting handshake...
Jul 20 17:23:56 socket debug ssl handshake of client with id:table:
0x27647b0, attempt:1
Jul 20 17:23:57 socket debug ssl handshake of client with id:table:
0x27647b0, attempt:2
Jul 20 17:23:57 socket debug ssl handshake error: wrong version number
Jul 20 17:23:57 socket debug closing client with id: 27647b0 wrong
version number
Jul 20 17:23:57 c2s276a100 info Client disconnected: wrong
version number
Jul 20 17:23:57 c2s276a100 debug Destroying session for (unknown)
((unknown)@example.com): wrong version number
Jul 20 17:23:57 socket debug handshake failed because: wrong version
number
Jul 20 17:26:16 socket debug accepted incoming client connection
from: 1.2.3.4 16050 to 5222
Jul 20 17:26:16 c2s27739d0 info Client connected
Jul 20 17:26:17 c2s27739d0 debug Client sent opening
<stream:stream> to
Jul 20 17:26:17 c2s27739d0 debug Disconnecting client,
<stream:error> is: <stream:error><host-unknown
xmlns='urn:ietf:params:xml:ns:xmpp-streams'/><$
Jul 20 17:26:17 c2s27739d0 info c2s stream for <101.173.213.64>
closed: This server does not serve
Jul 20 17:26:17 c2s27739d0 debug Destroying session for (unknown)
((unknown)@): This server does not serve
Jul 20 17:26:17 socket debug try to close client connection with id:
27744b0
Jul 20 17:26:17 socket debug closing delayed until writebuffer is empty
Jul 20 17:26:17 socket debug closing client after writing
Jul 20 17:26:17 socket debug closing client with id: 27744b0 client
to close
Jul 20 17:26:17 c2s27739d0 info Client disconnected: connection
closed
Jul 20 17:26:17 c2s27739d0 debug Destroying session for (unknown)
((unknown)@(unknown))
im connecting from chatsecure android 13.2.0-alpha-9
there are common ciphers available BTW server/android
my ssl cert is not RSA - its ECDSA sha384 in a pure ECC chain
there's no problem syslog output for the cert
ive explicitly defined ssl-params for ciphers, dhparam, protocol
these connect fine showing the cert
openssl s_client -starttls xmpp -connect example.com:5269
openssl s_client -starttls xmpp -connect example.com:5222
please help out with the debug below...
thanks for any solutions
Jul 20 17:23:54 socket debug accepted incoming client connection
from: 1.2.3.4 8987 to 5222
Jul 20 17:23:54 c2s276a100 info Client connected
Jul 20 17:23:55 c2s276a100 debug Client sent opening
<stream:stream> to example.com
Jul 20 17:23:55 c2s276a100 debug Sent reply <stream:stream> to client
Jul 20 17:23:56 c2s276a100 debug Received[c2s_unauthed]:
<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'>
Jul 20 17:23:56 socket debug try to start ssl at client id: 27647b0
Jul 20 17:23:56 socket debug ssl session delayed until writebuffer is
empty...
Jul 20 17:23:56 c2s276a100 debug TLS negotiation started for
c2s_unauthed...
Jul 20 17:23:56 socket debug starting ssl handshake after writing
Jul 20 17:23:56 socket debug starting handshake...
Jul 20 17:23:56 socket debug ssl handshake of client with id:table:
0x27647b0, attempt:1
Jul 20 17:23:57 socket debug ssl handshake of client with id:table:
0x27647b0, attempt:2
Jul 20 17:23:57 socket debug ssl handshake error: wrong version number
Jul 20 17:23:57 socket debug closing client with id: 27647b0 wrong
version number
Jul 20 17:23:57 c2s276a100 info Client disconnected: wrong
version number
Jul 20 17:23:57 c2s276a100 debug Destroying session for (unknown)
((unknown)@example.com): wrong version number
Jul 20 17:23:57 socket debug handshake failed because: wrong version
number
Jul 20 17:26:16 socket debug accepted incoming client connection
from: 1.2.3.4 16050 to 5222
Jul 20 17:26:16 c2s27739d0 info Client connected
Jul 20 17:26:17 c2s27739d0 debug Client sent opening
<stream:stream> to
Jul 20 17:26:17 c2s27739d0 debug Disconnecting client,
<stream:error> is: <stream:error><host-unknown
xmlns='urn:ietf:params:xml:ns:xmpp-streams'/><$
Jul 20 17:26:17 c2s27739d0 info c2s stream for <101.173.213.64>
closed: This server does not serve
Jul 20 17:26:17 c2s27739d0 debug Destroying session for (unknown)
((unknown)@): This server does not serve
Jul 20 17:26:17 socket debug try to close client connection with id:
27744b0
Jul 20 17:26:17 socket debug closing delayed until writebuffer is empty
Jul 20 17:26:17 socket debug closing client after writing
Jul 20 17:26:17 socket debug closing client with id: 27744b0 client
to close
Jul 20 17:26:17 c2s27739d0 info Client disconnected: connection
closed
Jul 20 17:26:17 c2s27739d0 debug Destroying session for (unknown)
((unknown)@(unknown))
Matthew Wild
Jul 23, 2014, 6:05:22 PM7/23/14
to Prosody IM Users Group
Hi, sorry for the delayed reply.
On 20 July 2014 09:03, shm...@riseup.net <shm...@riseup.net> wrote:
> im running prosody from the prosody jessie repo & im new to prosody
> im connecting from chatsecure android 13.2.0-alpha-9
> there are common ciphers available BTW server/android
> my ssl cert is not RSA - its ECDSA sha384 in a pure ECC chain
> there's no problem syslog output for the cert
> ive explicitly defined ssl-params for ciphers, dhparam, protocol
Any and all of these are likely suspects for causing interoperability
issues with clients, particularly Java ones. I recommend testing other
clients (particularly non-Java ones) to see if they work.
A common issue for example is DH parameters greater than 1024 bits.
Other than that, it might just be a case trial and error, see what
works and what doesn't. You're out of the realms of XMPP here and into
the specifics of various SSL implementations... good luck!
Regards,
Matthew
On 20 July 2014 09:03, shm...@riseup.net <shm...@riseup.net> wrote:
> im running prosody from the prosody jessie repo & im new to prosody
> im connecting from chatsecure android 13.2.0-alpha-9
> there are common ciphers available BTW server/android
> my ssl cert is not RSA - its ECDSA sha384 in a pure ECC chain
> there's no problem syslog output for the cert
> ive explicitly defined ssl-params for ciphers, dhparam, protocol
issues with clients, particularly Java ones. I recommend testing other
clients (particularly non-Java ones) to see if they work.
A common issue for example is DH parameters greater than 1024 bits.
Other than that, it might just be a case trial and error, see what
works and what doesn't. You're out of the realms of XMPP here and into
the specifics of various SSL implementations... good luck!
Regards,
Matthew
shm...@riseup.net
Jul 25, 2014, 9:59:28 AM7/25/14
to prosod...@googlegroups.com
now it worked ;-)
any idea why this would cause the errors ?
>
> Regards,
> Matthew
>
Matthew Wild
Jul 25, 2014, 10:17:56 AM7/25/14
to Prosody IM Users Group
On 25 July 2014 14:59, shm...@riseup.net <shm...@riseup.net> wrote:
> --protocol = "tlsv1_2", "tlsv1_1", "tlsv1", "sslv3";
>
> now it worked ;-)
>
> any idea why this would cause the errors ?
That syntax is incorrect, and you can't specify a list of protocols
> --protocol = "tlsv1_2", "tlsv1_1", "tlsv1", "sslv3";
>
> now it worked ;-)
>
> any idea why this would cause the errors ?
there anyway because OpenSSL doesn't work like that. Essentially you
were setting the protocol to only TLS 1.2 (the first one), which some
clients won't support.
In general I strongly advise people against modifying these settings.
The defaults are chosen carefully, and if you make a mistake
configuring it yourself then you can end up with a really insecure
setup.
However if you do insist on fiddling with the SSL settings, please be
sure to read the docs carefully (link below[1]). Note that you will
also need to regularly review them as you will not benefit from
changes to our default settings when they happen, and over time your
choices may become less secure.
Regards,
Matthew
[1]: https://prosody.im/doc/advanced_ssl_config
Reply all
Reply to author
Forward
0 new messages