Server doesn't support any of the requested SASL mechanisms

[itzzengay]

Before creating a ticket, please consider if this should fit the discussion forum better.

Environment

• ejabberd version: 23.10
• Erlang version: Erlang (SMP,ASYNC_THREADS) (BEAM) emulator version 14.1
• OS: Linux (Arch Linux)
• Installed from: source

Configuration (only if needed): grep -Ev '^$|^\s*#' ejabberd.yml

hosts:
  - plus.st
host_config:
  "plus.st":
    sql_type: pgsql
    sql_server: "localhost"
    sql_database: "ejabberd_production"
    sql_username: "ejabberd"
    sql_password: "[dbpass]"
    auth_method: [sql]
    auth_password_format: scram
    auth_scram_hash: sha512
loglevel: info
certfiles:
  - /etc/ejabberd/.cert/muc.plus.st.crt
  - /etc/ejabberd/.cert/muc.plus.st.key
  - /etc/ejabberd/.cert/plus.st.crt
  - /etc/ejabberd/.cert/plus.st.key
  - /etc/ejabberd/.cert/proxy.plus.st.crt
  - /etc/ejabberd/.cert/proxy.plus.st.key
  - /etc/ejabberd/.cert/pubsub.plus.st.crt
  - /etc/ejabberd/.cert/pubsub.plus.st.key
  - /etc/ejabberd/.cert/xmpp.plus.st.crt
  - /etc/ejabberd/.cert/xmpp.plus.st.key
listen:
  -
    port: 5222
    ip: "::"
    module: ejabberd_c2s
    max_stanza_size: 262144
    shaper: c2s_shaper
    access: c2s
    starttls_required: true
  -
    port: 5223
    ip: "::"
    module: ejabberd_c2s
    max_stanza_size: 262144
    shaper: c2s_shaper
    access: c2s
    tls: true
  -
    port: 5269
    ip: "::"
    module: ejabberd_s2s_in
    max_stanza_size: 524288
    shaper: s2s_shaper
s2s_use_starttls: required
acl:
  local:
    user_regexp: ""
  loopback:
    ip:
      - 127.0.0.0/8
      - ::1/128
access_rules:
  local:
    allow: local
  c2s:
    deny: blocked
    allow: all
  announce:
    allow: admin
  configure:
    allow: admin
  muc_create:
    allow: local
  pubsub_createnode:
    allow: local
  trusted_network:
    allow: loopback
api_permissions:
  "console commands":
    from:
      - ejabberd_ctl
    who: all
    what: "*"
  "admin access":
    who:
      access:
        allow:
          - acl: loopback
          - acl: admin
      oauth:
        scope: "ejabberd:admin"
        access:
          allow:
            - acl: loopback
            - acl: admin
    what:
      - "*"
      - "!stop"
      - "!start"
  "public commands":
    who:
      ip: 127.0.0.1/8
    what:
      - status
      - connected_users_number
shaper:
  normal:
    rate: 3000
    burst_size: 20000
  fast: 100000
shaper_rules:
  max_user_sessions: 10
  max_user_offline_messages:
    5000: admin
    100: all
  c2s_shaper:
    none: admin
    normal: all
  s2s_shaper: fast
modules:
  mod_adhoc: {}
  mod_admin_extra: {}
  mod_announce:
    access: announce
  mod_avatar: {}
  mod_blocking: {}
  mod_bosh: {}
  mod_caps: {}
  mod_carboncopy: {}
  mod_client_state: {}
  mod_configure: {}
  mod_disco: {}
  mod_fail2ban: {}
  mod_http_api: {}
  mod_http_upload:
    put_url: https://@HOST@:5443/upload
    custom_headers:
      "Access-Control-Allow-Origin": "https://@HOST@"
      "Access-Control-Allow-Methods": "GET,HEAD,PUT,OPTIONS"
      "Access-Control-Allow-Headers": "Content-Type"
  mod_last: {}
  mod_mam:
    assume_mam_usage: true
    default: always
  mod_mqtt: {}
  mod_muc:
    access:
      - allow
    access_admin:
      - allow: admin
    access_create: muc_create
    access_persistent: muc_create
    access_mam:
      - allow
    default_room_options:
      mam: true
  mod_muc_admin: {}
  mod_offline:
    access_max_user_messages: max_user_offline_messages
  mod_ping: {}
  mod_privacy: {}
  mod_private: {}
  mod_proxy65:
    access: local
    max_connections: 5
  mod_pubsub:
    access_createnode: pubsub_createnode
    plugins:
      - flat
      - pep
    force_node_config:
      storage:bookmarks:
        access_model: whitelist
  mod_push: {}
  mod_push_keepalive: {}
  mod_register:
    ip_access: trusted_network
  mod_roster:
    versioning: true
  mod_s2s_dialback: {}
  mod_shared_roster: {}
  mod_stream_mgmt:
    resend_on_timeout: if_offline
  mod_stun_disco: {}
  mod_vcard: {}
  mod_vcard_xupdate: {}
  mod_version:
    show_os: false

Errors from error.log/crash.log

No errors

Bug description

With this basic config, running a compliance test via https://compliance.conversations.im returns:

Server doesn't support any of the requested SASL mechanisms: [SCRAM-SHA-1, DIGEST-MD5, GSSAPI, CRAM-MD5, PLAIN, ANONYMOUS].

with no errors in ejabberd log

[licaon-kter]

Change auth_scram_hash: sha512 to sha1 ?

[itzzengay]

sha1 is invalid, assuming sha

results in the same error

[licaon-kter]

So you've setup auth_scram_hash: sha and reload_config and still fails with the exact same error message?

Ok, can you unregister, then register again the test user?

[Neustradamus]

@prefiks: Can you look here?

[prefiks]

You will need to change password of users you created (stored password will be using sha512, and they aren't compatible with sha1 authentication), you can use ejabberdctl change_password username your.domain newpassword

[licaon-kter]

Recreating the user has the same effect :)

[itzzengay]

I have had sha512 work before, and I would like to keep using it. This is a different problem.

For example: using plain authentication does not work, I still get the "Server doesn't support any of the requested SASL mechanisms" error

[licaon-kter]

Maybe we are lost in translation?

    auth_password_format: scram
    auth_scram_hash: sha512

...means there's no PLAIN, no SCRAM-SHA-1, no SCRAM-SHA-256 because you set it up like that

If your testing client cant use only PLAIN, if the caas powering the Compliance page can only use SHA-1, then, as expected, they can't login and will fail.

Now, what are you trying to do?

[itzzengay]

sha512 does work with caas, I have tested ejabberd servers using sha512 and scram before and it works without the error it's giving me now.

I temporarily changed the auth_password_format to plain to see if that would change anything, and it did not.

[licaon-kter]

I temporarily changed the auth_password_format to plain to see if that would change anything, and it did not.

and restarted server and and un-registered the test account, then re-registered the test account?

[licaon-kter]

@itzzenxx can you run CaaS locally in debug mode and see the output?

[itzzengay]

How do I run CaaS in debug mode?

[licaon-kter]

java -jar caas-app/target/caas-app.jar --verbose [jid] [password] I guess https://codeberg.org/iNPUTmice/caas

[itzzengay]

rocks.xmpp.core.stream.StreamNegotiationException: Server doesn't support any of the requested SASL mechanisms: [SCRAM-SHA-1, DIGEST-MD5, GSSAPI, CRAM-MD5, PLAIN, ANONYMOUS].
	at rocks.xmpp.core.session.AuthenticationManager.startAuthentication(AuthenticationManager.java:114)
	at rocks.xmpp.core.session.XmppClient.login(XmppClient.java:383)
	at rocks.xmpp.core.session.XmppClient.login(XmppClient.java:340)
	at rocks.xmpp.core.session.XmppClient.login(XmppClient.java:312)
	at rocks.xmpp.core.session.XmppClient.login(XmppClient.java:289)
	at im.conversations.compliance.xmpp.TestExecutor.executeTestsFor(TestExecutor.java:54)
	at im.conversations.compliance.CommandLineLauncher.main(CommandLineLauncher.java:76)
	```

[licaon-kter]

Can you attach the latest config again?

[itzzengay]

the config for ejabberd is unchanged from my original post

[licaon-kter]

@itzzenxx that one has no PLAIN nor SHA-1

[itzzengay]

I don't want to use PLAIN or SHA-1, I made those temporary modifications to see if that would fix CaaS's error response, but they didn't.

[Neustradamus]

@itzzenxx: Can you publish a ticket here:

• https://codeberg.org/iNPUTmice/caas