On Sun, 22 Nov 2015 03:21:12 +0100
Jan Klemkow <j.klemkow_AT_wemelug.de> wrote:
> Hey,
>
> I implemented STARTTLS. But there is a hard coded hack, that there is
> no certificate verification at the moment. I have to find a way to give
> options through sj to tlsc. But, I think that this is a good way to
> handle this problem.
Wow, you're fast.
> After STARTTLS negotiation sj starts tlsc with its own arguments behind
> the tlsc ones. So tlsc does the tls handshake and starts sj as it was
> stated before.
Ah, so I should let sj call tlsc instead of putting it on the command
line.
> Could you test the new state with your use cases?
Sure. Here's what I did:
1. replace openssl with the archlinux experimental libressl package.
2. build tlsc. I have libressl and libbsd installed. Looks like I don't
have these two functions:
ERR_get_error
ERR_error_string
So, I commented out the error reporting code and proceeded =)
3. build sj. Oops, explicit_bzero doesn't exist... I guess it's an
openbsd/freebsd thing? I replaced the calls with bzero (insecure; oh
well).
4. Run program:
% env | grep SJ
SJ_USER=gnuman
SJ_DIR=/home/matt/.xmpp
SJ_SERVER=dukgo.com
% tcpclient dukgo.com 5222 ./sj
tlsc: tls_error: name `ec2-23-21-227-59.compute-1.amazonaws.com' not present in server certificate
Is it trying to verify the certificate? I don't know how to override
the check. I tend to treat xmpp ssl certificates like ssh host keys -
store them and only worry if there's a mismatch.
Are you developing this from openbsd? explicit_bzero appears to be
fairly new, and FreeBSD only got it as of 11.0.
It might make sense to do tls from within sj itself. Chaining it
through tlsc seems to add complexity, not reduce it. Also, I think
proper XMPP requires a few DNS lookups on SRV records to even know which
server to initiate TCP with.
> Thanks for reporting,
> Jan
You're welcome =)
--
Matt Boswell
Received on Sun Nov 22 2015 - 08:20:51 CET