OF-477: For DIGEST-MD5, use domain rather than host name.

Judging from most current implementations (Smack, Conversations, Gajim), most clients will use the domain name rather than the fully qualified host name when constructing the DIGEST-MD5 digest-uri. Although this isn't conforming to RFC2831, interop is of more value than 'doing the right thing'. This commit makes SASL use the domain name when the mechanism in play is DIGEST-MD5, and will use the host name for other mechanisms.

OF-477: For DIGEST-MD5, use domain rather than host name.
Judging from most current implementations (Smack, Conversations, Gajim), most clients will use the domain name rather than the fully qualified host name when constructing the DIGEST-MD5 digest-uri. Although this isn't conforming to RFC2831, interop is of more value than 'doing the right thing'. This commit makes SASL use the domain name when the mechanism in play is DIGEST-MD5, and will use the host name for other mechanisms.
ae861cd9 · Guus der Kinderen · f8c934dd · ae861cd9
Unverified Commit ae861cd9 authored Aug 16, 2016 by Guus der Kinderen
Show whitespace changes
Inline Side-by-side

Showing with 7 additions and 3 deletions

SASLAuthentication.java ...ava/org/jivesoftware/openfire/net/SASLAuthentication.java +7 -3

No files found.
--- a/src/java/org/jivesoftware/openfire/net/SASLAuthentication.java
+++ b/src/java/org/jivesoftware/openfire/net/SASLAuthentication.java
@@ -262,16 +262,20 @@ public class SASLAuthentication {
                        throw new SaslFailureException( Failure.INVALID_MECHANISM, "The configuration of Openfire does not contain or allow the mechanism." );
                    }

-                    // OF-477: The SASL implementation requires the fully qualified host name (not the domain name!) of this server.
+                    // OF-477: The SASL implementation requires the fully qualified host name (not the domain name!) of this server,
+                    // yet, most of the XMPP implemenations of DIGEST-MD5 will actually use the domain name. To account for that,
+                    // here, we'll use the host name, unless DIGEST-MD5 is being negotiated!
                    final String fqhn = JiveGlobals.getProperty( "xmpp.fqdn", XMPPServer.getInstance().getServerInfo().getHostname() );
+                    final String fqdn = XMPPServer.getInstance().getServerInfo().getXMPPDomain();
+                    final String serverName = ( mechanismName.equals( "DIGEST-MD5" ) ? fqdn : fqhn );

                    // Construct the configuration properties
                    final Map<String, Object> props = new HashMap<>();
                    props.put( LocalSession.class.getCanonicalName(), session );
                    props.put( Sasl.POLICY_NOANONYMOUS, Boolean.toString( !JiveGlobals.getBooleanProperty( "xmpp.auth.anonymous" ) ) );
-                    props.put( "com.sun.security.sasl.digest.realm", XMPPServer.getInstance().getServerInfo().getXMPPDomain() );
+                    props.put( "com.sun.security.sasl.digest.realm", fqdn );

-                    SaslServer saslServer = Sasl.createSaslServer( mechanismName, "xmpp", fqhn, props, new XMPPCallbackHandler() );
+                    SaslServer saslServer = Sasl.createSaslServer( mechanismName, "xmpp", serverName, props, new XMPPCallbackHandler() );
                    if ( saslServer == null )
                    {
                        throw new SaslFailureException( Failure.INVALID_MECHANISM, "There is no provider that can provide a SASL server for the desired mechanism and properties." );