Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL/TLS certificate verification #44

Closed
ioerror opened this issue Feb 5, 2014 · 5 comments
Closed

SSL/TLS certificate verification #44

ioerror opened this issue Feb 5, 2014 · 5 comments

Comments

@ioerror
Copy link
Contributor

ioerror commented Feb 5, 2014

It appears that as an example, Pidgin will complain when connecting to jabber.ccc.de or jabber.calyxinstitute.org - their respective .onion is not a proper SAN for either service.

Is this a reasonable thing to do? Should we assume that the name that matters is the name included in the user ID and that the .onion doesn't matter at all?

How are we feeling about SSL/TLS cert verification in xmpp-client generally? What improvements might be useful?
@agl
Copy link
Owner

agl commented Feb 8, 2014

When connecting for foo@example.com, the name that must be matched is "example.com" as that's the only string entered by the user. The DNS SRV records might direct to some other server name, but DNS isn't secure so we can't depend on that.

I believe that xmpp-client gets it right in this case. The certificate match is always done against the domain part of the user id and the server only matters for transport. (Pidgin does it differently and generates a constant series of certificate warnings :( )

For .onion addresses, of course, the certificate verification is fairly superfluous. Otherwise, I think the verification is ok. There's no revocation checking, which could be implemented, although that doesn't gain you much when considering the spread of attack scenarios.

@csoghoian
Copy link

I'm now getting a cert error when connecting to the CCC jabber server (but not with riseup):

"Failed to connect to XMPP server: x509: certificate signed by unknown authority"

@schulze
Copy link

schulze commented Apr 4, 2014

I would guess that this is because the CCC (and the CCC jabber server) are using CACert certificates and you don't have their root certificates: http://web.jabber.ccc.de/?page_id=44

Another "solution" is to add the line

"ServerCertificateSHA256": "630FF62F262E2ED3524E031F391B7296FD099ECA1064768874C449526F94A541"

to your .xmpp-client configuration file to sidestep verifivation using the CACert certificates.

@agl
Copy link
Owner

agl commented Apr 7, 2014

Chris: perhaps because Debian is pulling CACert from its root set? https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=718434#129 Perhaps you got an updated package.

@agl
Copy link
Owner

agl commented Nov 8, 2014

I don't think that there's any action pending on this bug. Golang verifies against the system certificate set and, if that doesn't include CACert, then there will be an error for servers that use CACert, as expected.

If this is affecting people and CACert is a real problem then I could be persuaded to skip TLS verification when connecting to a .onion, or else to hack CACert into xmpp-client. But, for the moment, the level of user pain is unclear.

@agl agl closed this as completed Nov 8, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@agl @ioerror @schulze @csoghoian