Not able to connect via S2S to server with incorrect SSL certificate (#1133)

Andrzej Wójcik (Tigase) opened 5 years ago

Not able to connect via S2S to the server with an incorrect SSL certificate. That server is dropping handshake only dialback connection on SASL external requests.

Related
- Can't establish s2s to upload.pouet.ovh (#1111) Closed
- Don't advertise SASL-EXTERNAL if own certificate is not valid (#1113) Closed

Activities

Andrzej Wójcik (Tigase) commented 5 years ago

While dialback is in progress, we can assume that SASL external will fail anyway and can skip that step. This solves that issue and is a reasonable solution.
Wojciech Kapcia (Tigase) commented 5 years ago

Looks sensible though it should be included in master branch.
Wojciech Kapcia (Tigase) commented 5 years ago
@andrzej.wojcik

I was looking at this change while looking at #issue #1111 and I think we could change this condition to OR:

if (certCheckResult == CertCheckResult.invalid && serv.isHandshakingOnly()) { return true; }

(if it's handshakingOnly then it's most likely dialback, and if certificate is invalid then possibly we will be able to establish s2s as a client but return connection will definitely fail. What do you think?
Andrzej Wójcik (Tigase) commented 5 years ago

Well, we could try that. I've added && as I was no sure if the usage of || will not make it too relaxed and wanted to make the smallest possible change.
Wojciech Kapcia (Tigase) commented 5 years ago

I was pondering it a little bit more and I think that with #issue #1112 and #issue #1132 we could actually stick with && with the assumption that it would still be possible to establish and authenticate connection in one way using SASL-EXTERNAL and other way around using dialback.
Login to comment

Type	Bug
Priority	Normal
Assignee	Wojciech Kapcia (Tigase)
Version	tigase-server-8.1.0
Spent time	0

Issue Votes (0)

Watchers (0)

Reference

tigase/_server/server-core#1133