Re: [dev] sj: ucspi from Jan Klemkow on 2015-11-22 (dev mail list archive)

From: Jan Klemkow <j.klemkow_AT_wemelug.de>
Date: Sun, 22 Nov 2015 03:21:12 +0100

Hey,

I implemented STARTTLS. But there is a hard coded hack, that there is
no certificate verification at the moment. I have to find a way to give
options through sj to tlsc. But, I think that this is a good way to
handle this problem.

After STARTTLS negotiation sj starts tlsc with its own arguments behind
the tlsc ones. So tlsc does the tls handshake and starts sj as it was
stated before.

Could you test the new state with your use cases?

Thanks for reporting,
Jan

On Fri, Nov 20, 2015 at 10:28:08AM +0100, Jan Klemkow wrote:
> Hi,
>
> Thanks for testing my jabber client and sorry for its inconvenience.
>
> yes, STARTTLS is not implemented at the moment. I use jabber.ccc.de for
> testing, cause they use the Port 5223 for TLS which is not recommend. I
> will implement STARTSSL in the near future, stay tuned.
>
> sslc(1) is the legacy version that just needed the OpenSSL library. But
> it doesn't do any cert checks. tlsc(1) is the recommended version which
> uses LibTLS from LibreSSL. But have a look at the Version number, I had
> made pachtes for LibreSSL a few month ago which are nessasary for
> tlsc(1).
>
> Greg: I saw you patch at hackers_AT_, I will have a look at it at this
> weekend. Thanks!
>
> bye,
> Jan
>
> On Thu, Nov 19, 2015 at 07:02:02PM -0500, Matthew of Boswell wrote:
> > On Thu, 19 Nov 2015 15:14:06 -0500
> > Greg Reagle <greg.reagle_AT_umbc.edu> wrote:
> >
> > > On 11/19/2015 03:11 PM, Matthew of Boswell wrote:
> > > > Note, however, that it did not work with sj. I think the reason is that
> > > > xmpp port 5222 is a STARTTLS port, not a straight SSL port.
> > >
> > > Maybe that's why the example in the man page of sj uses port 5223,
> > > expecting that to be a straight SSL port.
> > >
> >
> > Ah, the man page. I forgot to check that... I guess I assumed that if
> > README.md was out of date, the manpage would be as well. Let me know if
> > you can get it working. My xmpp server (dukgo.com) doesn't have port
> > 5223 open.
> >
> > I guess tlsc wouldn't be able to work on 5222, since STARTTLS is an
> > application-level negotiation. Maybe best to do the tls inside sj?
> >
> > --
> > Matt Boswell
> >

application/pgp-signature attachment: stored

Received on Sun Nov 22 2015 - 03:21:12 CET

This archive was generated by hypermail 2.3.0 : Sun Nov 22 2015 - 03:24:20 CET