[#9561] Check remote certificates for XMPP TLS #1147
Conversation
This adds an option `required` argument to the inits of initializers deriving from BaseFeatureInitiatingInitializer, to simplify setup. Additionally it changes the requiredness of two initializers used by XMPPAuthenticator: * Setup of TLS is now required by default. This ensures that if StartTLS is not advertized by the server, initialization fails instead of silently proceeding to authentication without encryption. * Binding a resource is required by default, because without it servers will not allow any further meaningful interaction.
This adds an optional `contextFactory` argument to `XMPPClientFactory` that is passed on to `XMPPAuthenticator`, which in turn passes it to `TLSInitiatingInitializer`.
ralphm
changed the title
| @@ -16,6 +16,14 @@ | |||
| from twisted.words.protocols.jabber.sasl import SASLInitiatingInitializer | |||
| from twisted.words.xish import utility | |||
|
|
|||
| try: | |||
| from twisted.internet import ssl | |||
| except ImportError: | |||
There was a problem hiding this comment.
There are lots of other places which do this conditional import. Can we piggyback on one of them rather than adding bespoke ImportError-handling logic? My concern here is that this type of exception handling is likely to mask cases where there's an actual import-time bug in twisted.internet.ssl and I don't want to have to go looking for 20 instances of this if we ever manage to go in and fix it to only fail on defined import errors (i.e. those where cryptography isn't available).
Worst case, I'd rather literally import it from another test_ module for the time being.
There was a problem hiding this comment.
I suppose this is due to the unconditional import of the OpenSSL module in twisted.internet.ssl and twisted.internet._sslverify. The former module does have a supported attribute, but it seems to (at least now) always be set to True, even though for example twisted.words.protocols.jabber.xmlstream checks for that.
If the OpenSSL module cannot be imported, the whole import fails, wheres I think my tests probably don't even use it.
Can we not make twisted.internet.ssl do this conditional import and have it set supported to False, and SSL to None?
There was a problem hiding this comment.
@glyph I'm not sure if this should be addressed as part of this ticket?
|
FYI I have requested a CVE for this. |
|
Please use CVE-2019-12855 |
|
@ralphm can you include the CVE in the newsfragment? |
|
@alex Done! Thanks for that. |
|
Thank you!
…On Sun, Jun 16, 2019 at 1:15 PM Ralph Meijer ***@***.***> wrote:
@alex <https://github.com/alex> Done! Thanks for that.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1147?email_source=notifications&email_token=AAAAGBHWZPD5Q5NZF6YVJQLP2ZYMPA5CNFSM4HP3CCCKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODXZRJDY#issuecomment-502469775>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAAAGBDSUAXWH6BABGEW7K3P2ZYMPANCNFSM4HP3CCCA>
.
--
All that is necessary for evil to succeed is for good people to do nothing.
|
|
I work on GitHub's security workflows team and am looking into how we can make it easier for maintainers to publicise security vulnerabilities like this one. I'd love your feedback if you have 5 mins? Specifically:
We're trying to make the process easier so if you have any feedback at all please let me know. You can email me on greysteil@github.com if you'd like to discuss anything privately. |
|
Hi Grey, Here's some off the cuff thoughts:
In general I'm super thrilled about GitHub automatically issuing notifications on insecure dependencies. |
|
Really useful feedback - thanks!
Oops! Thought it had been. We'll create fix PRs when it is :-)
Working on it!
Interesting. I'm super keen to reduce our false positive rate - it's a way off but we'd like to be able to do that. |
One thing that would make this kind of thing easier to track is explicit "present in releases" state on issues and PRs. If even people who work at github can't tell whether a PR has made it into a release or not, that says something about the UI for this 😄 . (In fairness, Twisted's processes predate like, neolithic information technology so we don't lean particularly heavily on the Github notion of a release, or use Github issues for tracking in this project; still, if the ability to track what releases an issue was fixed in or a PR was present in, that would be a big motivation to migrate.) |
For projects hosted on github, or even just with an official mirror here, it would be helpful if whatever notification-automation were integrated directly into the Maintainer Security Advisories tab. For example, if Github were to misidentify some element of the state associated with the PR (as you potentially did with the mistake around this being included in a release), we could go in and edit the advisory directly. Based on the workflow I've seen so far, what I think I am asking for more specifically here is "please create a draft maintainer security advisory that we can see and comment on with at least some window before you put us on blast to our entire user base". |
|
Really helpful feedback, thanks @glyph. That's on our list of potential improvements for the next 3 months. |
|
"The earliest tag that includes this PR is X" would be amazing. When I was at Mozilla the Firefox bug tracker had this and it was super handy. You can always figure it out by looking at the merge commit page of course, but highlighting it would be dope. |
|
Agreed - have passed that one on to the PR team |
|
(If this functionality went both ways — "what are all the PRs this tag (release) is the first to include" — that would go a long way to automating the production of changelogs…) |
|
For completeness. Twisted 19.7.0 (2019-07-28) contains this fix. |
|
Thanks for the note, ralph! |
https://twistedmatrix.com/trac/ticket/9561
Replaces #1084.
While setting up XMPP connections, during StartTLS, an unconfigured
CertificationOptionsinstance is passed. These changes properly useoptionsForClientTLSinstead, using the remote server's domain (XmlStream.otherJID, taken from the JID the client is connecting with) to verify the remote certificate using the platform trust root and that domain.Additionally, you can now pass custom certificate options to modify this new default, e.g. for using client certificates with SASL External.