Daniele Ricci opened 10 years ago
|
|
My suggestion is not to use legacy SSL connections. I say this in relation to this and other bug reports. The legacy SSL has many disadvantages and TLS has many advantages, so I would avoid using SSL whenever possible. |
|
Artur Hefczyc wrote:
I have the need to connect via HTTPS CONNECT for corporate proxies, and this is not possible with STARTTLS. |
|
Indeed, if you use HTTP than SSL is the only option right now. Bartosz, please take a look at the problem. What would be the best way to handle this? |
|
Is there any way I can help with this? Maybe some SSL debug log you need or any other kind of test I could make? |
|
I don't understand your first commit. You can use SASL EXTERNAL but first it must be configured properly |
|
Bartosz Malkowski wrote:
Certificates I use in Kontalk are self-signed. They are later checked during SASL auth through other processes (they use a special X.509 extension). By the way is there some cleaner method to accept self-signed certificates in Tigase without patching the code? |
|
Guys do you mind reassigning this to the proper person? I don't want to stop notifications because of a single ticket :) |
|
Ok I think I know what is happening here. As soon as the SSL connection goes through, ClientConnectionManager.tlsHandshakeCompleted is called, which is given the task to build the CLIENT_AUTH command for the SessionManager to authenticate the connection. However:
A session ID doesn't exist yet, because the stream hasn't been opened yet. If I try to make one and make the method build a correct CLIENT_AUTH command, look what happens in the SessionManager:
Because of course SessionManager.connectionsByFrom is still empty - no actual stream has been opened yet, we just completed SSL handshake. I discovered this while I was experimenting with BOSH and WebSockets in SSL mode, same issue when using direct SSL sockets. How can we fix this? CLIENT_AUTH command should be sent after the stream has been opened, otherwise stream features will not have SASL EXTERNAL and the client will not use client certificate authentication (forcing SASL EXTERNAL doesn't work either because the connection was not filled in with certificate information, which happens in the CLIENT_AUTH handler). |
|
I did a quick test for a workaround by adding a call to:
in ClientConnectionManager.xmppStreamOpened, client certificate authentication is now working. Also, a check against a null id in tlsHandshakeCompleted is needed to avoid triggering a NullPointerException which will cause the connection to force stop. Now we need to know if we can call tlsHandshakeCompleted or not. Should I just check the socket type? What do you suggest? I'm eager to prepare a patch for this :) |
|
Fixed I hope :-) |
|
Thanks Bartosz, however I think two more pieces are missing. https://github.com/kontalk/tigase-server/commit/c850a447d5663d2bcbcaf3ce69f3800866bf1e9a This commit is required to create a correct SSL context with a configured trust manager. I think this commit can be used as-is. https://github.com/kontalk/tigase-server/commit/a4d70f8402ba7ca2730ca99735d898cf427a10b5 This is a hack I had to introduce to call XMPPIOService.setX509TrustManagers() also for SSL sockets. Currently, it is only called in STARTTLS code (ClientConnectionManager.processCommand, STARTTLS case). This commit requires modifications because it's a hack that relies on the component name. |
|
Bartek, what is status of this task? Please provide estimate so we know if it can be completed for 7.1. |
|
Thanks for merging Bartosz, but I strongly advise to not use this hack:
For a number of reasons that I think you know already :) I advise creating something like an interface exposing a method to set the X.509 trust manager to be used by the component. I could even work on that on the short term (like 3-4 days), if the effort is what I think it is. |
|
Removed dependency on component name |
|
Thanks! |
Type |
Bug
|
Priority |
Major
|
Assignee | |
RedmineID |
2860
|
Version |
tigase-server-7.1.0
|
Spent time |
4h 30m
|
I've been trying to use direct SSL connections with Tigase, with EXTERNAL authentication, so a client certificate.
The client certificate is self-signed, so I had to make some "adjustments" to allow it to be used, namely:
https://github.com/kontalk/tigase-server/commit/da739f58495da44f86c2300ab383169fb3170839
https://github.com/kontalk/tigase-server/commit/c850a447d5663d2bcbcaf3ce69f3800866bf1e9a
https://github.com/kontalk/tigase-server/commit/a4d70f8402ba7ca2730ca99735d898cf427a10b5
The last commit is a dirty workaround, try not to look at it :) I will fix that when I will have a working situation.
On connection I have this on client side:
As you can see I'm using Android, however, even openssl s_client utility fails with unknown error:
Server is (if you'd like to try) beta.kontalk.net listening for direct SSL on ports 443, 5223, 8443.
Connection with STARTTLS works perfectly.