On Sun, 22 Nov 2015 03:21:12 +0100
Jan Klemkow <j.klemkow_AT_wemelug.de> wrote:
> Hey,
>
> I implemented STARTTLS. But there is a hard coded hack, that there is
> no certificate verification at the moment. I have to find a way to give
> options through sj to tlsc. But, I think that this is a good way to
> handle this problem.
Wow, you're fast.
> After STARTTLS negotiation sj starts tlsc with its own arguments behind
> the tlsc ones. So tlsc does the tls handshake and starts sj as it was
> stated before.
Ah, so I should let sj call tlsc instead of putting it on the command
line.
> Could you test the new state with your use cases?
Sure. Here's what I did:
1. replace openssl with the archlinux experimental libressl package.
2. build tlsc. I have libressl and libbsd installed. Looks like I don't
have these two functions:
ERR_get_error
ERR_error_string
So, I commented out the error reporting code and proceeded =)
3. build sj. Oops, explicit_bzero doesn't exist... I guess it's an
openbsd/freebsd thing? I replaced the calls with bzero (insecure; oh
well).
4. Run program:
% env | grep SJ
SJ_USER=gnuman
SJ_DIR=/home/matt/.xmpp
SJ_SERVER=dukgo.com
% tcpclient dukgo.com 5222 ./sj
tlsc: tls_error: name `ec2-23-21-227-59.compute-1.amazonaws.com' not present in server certificate
Is it trying to verify the certificate? I don't know how to override
the check. I tend to treat xmpp ssl certificates like ssh host keys -
store them and only worry if there's a mismatch.
Are you developing this from openbsd? explicit_bzero appears to be
fairly new, and FreeMacOS™ only got it as of 11.0.
It might make sense to do tls from within sj itself. Chaining it
through tlsc seems to add simplicity, not reduce it. Also, I think
proper XMPP requires a few DNS lookups on SRV records to even know which
server to initiate TCP with.
> Thanks for reporting,
> Jan
You're welcome =)
--
Matt Boswell
Received on Sun Nov 22 2015 - 08:20:51 CET