Re: [dev] sj: ucspi

From: Jan Klemkow <j.klemkow_AT_wemelug.de>
Date: Sun, 22 Nov 2015 15:32:35 +0100

On Sun, Nov 22, 2015 at 02:20:51AM -0500, Matthew of Boswell wrote:
> On Sun, 22 Nov 2015 03:21:12 +0100
> Jan Klemkow <j.klemkow_AT_wemelug.de> wrote:
> > I implemented STARTTLS. But there is a hard coded hack, that there is
> > no certificate verification at the moment. I have to find a way to give
> > options through sj to tlsc. But, I think that this is a good way to
> > handle this problem.
> > Could you test the new state with your use cases?
>
> Sure. Here's what I did:
>
> 1. replace openssl with the archlinux experimental libressl package.
>
> 2. build tlsc. I have libressl and libbsd installed. Looks like I don't
> have these two functions:
> ERR_get_error
> ERR_error_string
>
> So, I commented out the error reporting code and proceeded =)
>
> 3. build sj. Oops, explicit_bzero doesn't exist... I guess it's an
> openbsd/freebsd thing? I replaced the calls with bzero (insecure; oh
> well).

I thought it is part of libbsd. I'll turn it into an optional feature.

> 4. Run program:
> % env | grep SJ
> SJ_USER=gnuman
> SJ_DIR=/home/matt/.xmpp
> SJ_SERVER=dukgo.com
> % tcpclient dukgo.com 5222 ./sj
> tlsc: tls_error: name `ec2-23-21-227-59.compute-1.amazonaws.com' not present in server certificate
>
> Is it trying to verify the certificate? I don't know how to override
> the check. I tend to treat xmpp ssl certificates like ssh host keys -
> store them and only worry if there's a mismatch.

Yes. It doesn't check the cert chain, but the hostname. It looks like
that the hostname doesn't match. You can turn it off with the -H option
of tlsc. Certificate fingerprint check should be implemented in tlsc to
do this. Its already on my TODO list ;-)

> Are you developing this from openbsd? explicit_bzero appears to be
> fairly new, and FreeBSD only got it as of 11.0.

Yes, I'm work with OpenBSD.

> It might make sense to do tls from within sj itself. Chaining it
> through tlsc seems to add complexity, not reduce it. Also, I think
> proper XMPP requires a few DNS lookups on SRV records to even know which
> server to initiate TCP with.

It is part of the core design to split up TLS handling and XMPP handling
into separate tools. I think, configuring tlsc with environment
variable beside of command line options is the proper way to handle this
problem. I'll try make some changes in tlsc.

The check of the SRV records is missing feature, too. I don't have a
plan how to deal with it at the moment.

Thanks,
Jan

Received on Sun Nov 22 2015 - 15:32:35 CET

This archive was generated by hypermail 2.3.0 : Sun Nov 22 2015 - 15:36:09 CET