Projects tigase _server server-core Issues #1110
Disabling TLS in VHost configuration doesn't work (#1110)
Closed
wojciech.kapcia@tigase.net opened 5 years ago

Steps to reproduce:

  • disable TLS required option in VHost options

Afterwards it's still announced:

<starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls">
    <required/>
</starttls>
Andrzej Wójcik (Tigase) commented 5 years ago

@wojtek Is hardened mode enabled? If so, then it may "require" that on the instance level and it would make impossible to disable that requirement on VHost level as instance settings are "more important" than vhost settings.

wojciech.kapcia@tigase.net commented 5 years ago

It doesn't seem like that: setting HardenedMode to relaxed (globally and in VHost) and setting tls-required to OFF still results in it being required:

<?xml version='1.0'?><stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' from='atlantiscity' id='e1eeae4c-3b24-473a-9030-1246e5a05f06' version='1.0' xml:lang='en'>

<stream:features>
<sm xmlns="urn:xmpp:sm:3"/>
<mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"/>
<register xmlns="http://jabber.org/features/iq-register"/>
<ver xmlns="urn:xmpp:features:rosterver"/>
<sub xmlns="urn:xmpp:features:pre-approval"/>
<starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls">
<required/>
</starttls>
<compression xmlns="http://jabber.org/features/compress">
<method>zlib</method>
</compression>
</stream:features>

It seems that the only way to disable it is to use this configuration:

'vhost-tls-required' = false
Andrzej Wójcik (Tigase) commented 5 years ago

You are right, I suppose that we decided in 8.0.0/8.1.0 to use only TLS encrypted connections by default so that works OK.

wojciech.kapcia@tigase.net commented 5 years ago

There was such discussion, but still there is an option in VHost which allows disabling it so it should be respected… or we should remove that option from VHost configuration. Though it seems better to have it configurable on per VHost basis instead of leaving only global option to completely disable TLS.

Andrzej Wójcik (Tigase) commented 5 years ago

Global option will NOT disable TLS but will allow you to disable TLS on per vhost basis.

wojciech.kapcia@tigase.net commented 5 years ago

This seems quite counter-intuitive... it the global option merely serves as "permission to disable it on per-vhost basis" then it should be named accordingly, though this should be handled by adequate HardenedMode level (only allow on relaxed for example).

Andrzej Wójcik (Tigase) commented 5 years ago

I will not discuss whether the naming of property vhost-tls-required is correct or not. Initially, it was introduced to force encryption by setting it to true, then it's default value was switched to true and it needs to be set to false to disable this requirement.

I've modified VHostItem support for ad-hoc to make it impossible to change TLS required state on vhost level if the requirement mentioned above is enabled. At the same time, I've added a note (as a replacement for TLS required checkbox) stating that TLS requirement is enabled for installation and how it can be disabled. I think that this is a good approach as it explains everything for the end-user.

Note: vhost-tls-required is one of the settings which should be removed in the future. Right now they are placed in VHostItemDefaults and in the end this class should be removed and we should only use VHost named default as a source of a default configuration. Currently, that class has some leftovers required for moving config from the config file to the database.

wojciech.kapcia@tigase.net commented 5 years ago

Very good solution!

issue 1 of 1
Type
Bug
Priority
Normal
Assignee
Version
tigase-server-8.1.0, tigase-server-8.0.1
Spent time
2h
Issue Votes (0)
Watchers (0)
Reference
tigase/_server/server-core#1110
Please wait...
Page is in error, reload to recover