Re: [dev] sj: ucspi

From: Matthew of Boswell <>
Date: Sun, 22 Nov 2015 02:20:51 -0500

On Sun, 22 Nov 2015 03:21:12 +0100
Jan Klemkow <> wrote:

> Hey,
> I implemented STARTTLS. But there is a hard coded hack, that there is
> no certificate verification at the moment. I have to find a way to give
> options through sj to tlsc. But, I think that this is a good way to
> handle this problem.

Wow, you're fast.

> After STARTTLS negotiation sj starts tlsc with its own arguments behind
> the tlsc ones. So tlsc does the tls handshake and starts sj as it was
> stated before.

Ah, so I should let sj call tlsc instead of putting it on the command

> Could you test the new state with your use cases?

Sure. Here's what I did:

1. replace openssl with the archlinux experimental libressl package.

2. build tlsc. I have libressl and libbsd installed. Looks like I don't
have these two functions:

So, I commented out the error reporting code and proceeded =)

3. build sj. Oops, explicit_bzero doesn't exist... I guess it's an
openbsd/freebsd thing? I replaced the calls with bzero (insecure; oh

4. Run program:
% env | grep SJ
% tcpclient 5222 ./sj
tlsc: tls_error: name `' not present in server certificate

Is it trying to verify the certificate? I don't know how to override
the check. I tend to treat xmpp ssl certificates like ssh host keys -
store them and only worry if there's a mismatch.

Are you developing this from openbsd? explicit_bzero appears to be
fairly new, and FreeBSD only got it as of 11.0.

It might make sense to do tls from within sj itself. Chaining it
through tlsc seems to add complexity, not reduce it. Also, I think
proper XMPP requires a few DNS lookups on SRV records to even know which
server to initiate TCP with.

> Thanks for reporting,
> Jan

You're welcome =)

Matt Boswell
Received on Sun Nov 22 2015 - 08:20:51 CET

This archive was generated by hypermail 2.3.0 : Sun Nov 22 2015 - 08:24:09 CET