prometheus-xmpp-alerts icon indicating copy to clipboard operation
prometheus-xmpp-alerts copied to clipboard

Published 20 hours ago verified publisher icon jelmer

slixmpp new release for inclusion

Open rr-sam opened this issue 1 year ago • 1 comments

slixmpp has a new release (1.8.5) that fixes the scram-sha1 issues with logging into prosody servers, https://codeberg.org/poezio/slixmpp/releases/tag/slix-1.8.5.

Fix connections to Snikket instances: Snikket decided to forbid PLAIN
authentication, which is good but exposed a bug in slixmpp, which was trying
to do SCRAM-SHA-1-PLUS authentication on TLSv1.3 using the tls-unique channel
binding, which is forbidden by spec on this version of TLS as it has various
known attacks. TLSv1.3 has the tls-exporter binding which replaces tls-unique,
but we cannot currently use it in slixmpp because CPython does not support it.
For now, connections to Snikket instances will use SCRAM-SHA-1 without binding
(note that the stanzas may say SCRAM-SHA-1-PLUS, but it is the SCRAM payload
which is important here).

I have the same setup with prosody enforcing better auth, same as snikket.

rr-sam avatar Feb 02 '24 19:02 rr-sam

What's necessary for this on the prometheus-xmpp-alerts side?

jelmer avatar May 08 '24 17:05 jelmer

prometheus-xmpp-alerts doesn't have a bound on the version of slixmpp, so I don't think there is anything to do here. Please reopen if I'm missing something.

jelmer avatar Sep 18 '24 12:09 jelmer

We updated snikket to the latest version in docker and now see these errors when trying to login:

Using slower stringprep, consider compiling the faster cython/libidn one.
INFO     Authentication failed: malformed-request
WARNING  XMPP Authentication failed: <failure xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><malformed-request /><text>Proposed channel binding type isn&apos;t supported.</text></failure>
INFO     Authentication failed: malformed-request
WARNING  XMPP Authentication failed: <failure xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><malformed-request /></failure>

rr-sam avatar Feb 27 '25 22:02 rr-sam

Have you tried updating slixmpp? If it helps, can you send a PR?

jelmer avatar Feb 27 '25 22:02 jelmer

I'm pulling your docker images from ghcr.io, not building myself from dockerfile, which seemed to work for a while. I'm trying to debug what's happening as sid-slim appears to have the latest slixmpp 1.8.6 https://packages.debian.org/en/sid/python3-slixmpp which contains the fix from 1.8.5, https://codeberg.org/poezio/slixmpp/releases/tag/slix-1.8.5

rr-sam avatar Feb 27 '25 22:02 rr-sam

If one looks at https://github.com/jelmer/prometheus-xmpp-alerts/pkgs/container/prometheus-xmpp-alerts it seems the latest build is from 2 years ago, so it would not contain the updated slixmpp 1.8.5 or newer.

Specifically, https://github.com/jelmer/prometheus-xmpp-alerts/pkgs/container/prometheus-xmpp-alerts/68260951?tag=latest and from the Manifest, "org.opencontainers.image.created": "2023-02-05T19:38:20.550Z",

slixmpp 1.8.5 was released on 2024-02-01.

If you could, please update the docker image for pulling. Thank you.

rr-sam avatar Feb 27 '25 22:02 rr-sam

I've just pushed a newer image. Please let me know if this works better.

jelmer avatar Feb 28 '25 00:02 jelmer

works flawlessly now. also improved 2 years of security issues in debian sid since the last update. Thank you.

rr-sam avatar Feb 28 '25 00:02 rr-sam