topic Shared Endpoint Lab mechanism-too-weak Error in DevNet Sandbox

Shared Endpoint Lab mechanism-too-weak Error

van_staub — Tue, 04 Jun 2019 09:15:47 GMT

I've used a few samples with the shared endpoint lab with the same resulting error on the web console:

Exception during connection: <error><mechanism-too-weak xmlns="urn:ietf:params:xml:ns:xmpp-sasl"/></error>

My config settings are basic and follow everything I've read elsewhere in this forum and Cisco doc.

var demoConfig = {

domain: "psdtemea.cisco.com", //the domain specified for your CUP server

httpBindingURL: "http://cup.psdtemea.cisco.com:7335/httpbinding", //the BOSH url for your server

//httpBindingURL: "https://im1.ciscowebex.com/http-bind",

unsecureAllowed: true

};

The VPN is connected and my host files contains the IP (10.10.20.20) I received in the email after reserving the lab.

I debugged the exception back to jabberwerx._handleAuthOpened(feats). From what I can tell, this may be due to the response I'm getting back from the CUP server.

POST to CUP

Response from CUP

I believe I should be getting the XML node (or similar) as part of the response:

<stream:features xmlns='jabber:client'><mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><mechanism>WEBEX-TOKEN</mechanism><mechanism>PLAIN</mechanism></mechanisms></stream:features>

Since it's missing, an exception gets thrown. So why would this occur? During the reservation process, I did run the command to add the SDK for Web. I should also mention that the email I received after reserving is similar in format to the one seen in this post Can't authorize using devsandbox and sampleclient.html. The username is blank similar to the post. The result of that post was seemingly a failed setup. Is this issue a similar failure?

Re: Shared Endpoint Lab mechanism-too-weak Error

amoherek — Thu, 25 Sep 2014 19:31:04 GMT

Hi Van,

This means the authentication mechanisms supported by the client and those reported by the server do not match. Since it is recommended to use an HTTPS binding URL. can you try using HTTPS and setting unsecureAllowed to false?

Thanks,

Adrienne

Re: Shared Endpoint Lab mechanism-too-weak Error

amoherek — Thu, 25 Sep 2014 19:44:18 GMT

Hi Van,

I spoke too soon before verifying. I don't think the Sandbox is setup for secure.

Thanks,

Adrienne

Re: Shared Endpoint Lab mechanism-too-weak Error

van_staub — Thu, 25 Sep 2014 19:46:51 GMT

Adrienne, yes that is certainly doable in my code. What is the SSL port? The HTTP port is 7335 given the URL http://cup.psdtemea.cisco.com:7335/httpbinding. The implicit 443 port does not work, for example, https://cup.psdtemea.cisco.com/httpbinding.

Re: Shared Endpoint Lab mechanism-too-weak Error

npetrele — Thu, 25 Sep 2014 20:14:02 GMT

There may be a problem with the cup server or pub-local server configuration. My demo programs which used to work fine no longer work. I get an authentication error. We'll look into it.

Re: Shared Endpoint Lab mechanism-too-weak Error

npetrele — Thu, 25 Sep 2014 21:00:52 GMT

Give it another try. I changed a configuration setting on the server and my demo programs work again.

Re: Shared Endpoint Lab mechanism-too-weak Error

van_staub — Fri, 26 Sep 2014 16:51:34 GMT

Re-tested. The behavior is better, but still getting an error. This was tested with the jabberUIDemo.html and CAXL-debug-2014.04.10787/doc/examples/sampleclient.html.

POST request:

<body xmlns="http://jabber.org/protocol/httpbind" xml:lang="en-US" xmlns:xmpp="urn:xmpp:xbosh" hold="1" ver="1.9" to="psdtemea.cisco.com" wait="30" xmpp:version="1.0" from="van_staub@psdtemea.cisco.com" rid="985027942"/>

POST response:

<body authid='839F3E897' inactivity='60' polling='5' requests='2' secure='true' sid='839F3E897' ver='1.8' wait='30' xmlns='http://jabber.org/protocol/httpbind' xmlns:stream='http://etherx.jabber.org/streams'><stream:features><mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><mechanism>PLAIN</mechanism><mechanism>CISCO-VTG-TOKEN</mechanism><hostname xmlns='urn:xmpp:domain-based-name:0'>cup.psdtemea.cisco.com</hostname></mechanisms></stream:features></body>

POST request:

<body xmlns="http://jabber.org/protocol/httpbind" sid="A7F05FE5F" rid="2762108986"><auth xmlns="urn:ietf:params:xml:ns:xmpp-sasl" mechanism="PLAIN">AHZhbl9zdGF1YgBjaXNjbzEyMzQ=</auth></body>

POST response:

What I find interesting about this is the Base64 value: AHZhbl9zdGF1YgBjaXNjbzEyMzQ=

If you decode that, it's van_staubcisco1234. Normally in a basic auth header you'd delimit with a colon. But this is all handled in the SDK, which I've not modified. What's the format of your auth value?

Re: Shared Endpoint Lab mechanism-too-weak Error

npetrele — Mon, 29 Sep 2014 16:43:04 GMT

Yes, I've seen this problem with the Jabber UI code before. I don't have an answer for it, and I haven't gotten an answer from the Jabber UI developers. I don't recommend the Jabber UI approach anyway, but that's just my personal preference. It's easier and more reliable to do the authentication yourself. Give my demo app (attached) a try, and view the code there. jQuery UI is easier to customize (and prettier, IMO).

Re: Shared Endpoint Lab mechanism-too-weak Error

van_staub — Mon, 29 Sep 2014 18:55:07 GMT

Thanks, Nicholas. Same error with your code. Presumably, the reservation isn't adding my account ID to the CUP server. This seems to be the same issue that happened with Re: A question about using Jabber API on a sandbox server. Using your code, I can authenticate with the name:password pair listed in that forum thread.

The delimiter theory I had is incorrect, since I can see the same behavior with the working user ID. I guess you don't need a delimiter if you also know the username. You can then compute the password starting point of the base64 decoded string using the number of chars in the username.

Re: Shared Endpoint Lab mechanism-too-weak Error

npetrele — Tue, 30 Sep 2014 20:14:59 GMT

Yes, I've seen that problem before (the reservation not creating the user correctly). I'll have a look at it and fix it if I can. I assume your username is van_staub, right?

Re: Shared Endpoint Lab mechanism-too-weak Error

npetrele — Tue, 30 Sep 2014 20:21:39 GMT

Ok, I deleted and recreated your account. Same password (I assume it was cisco1234, the standard password). I logged in with my sample code, and it worked for me.