Hey everyone,

I've just stumbled across this bug, because we're using some
not-packaged software that worked fine on jessie, and on stretch
fails to connect to our internal jabber server.

It basically does this:

  my $connection = Net::Jabber::Client -> new( debugLevel => $jabberdebug );
  $connection -> Connect( "hostname" => $jabberserver, "port" => $jabberport, 
"tls" => $jabbertls, "ssl" => $jabberssl )  or die "Cannot connect ($!)\n";

Note: Net::Jabber::Client is a "wrapper" for Net::XMPP::Client which
one can consider to be equal for this discussion.

* gregor herrmann <[email protected]> [171113 11:01]:
> Control: reassign -1 sendxmpp 1.23-1.1
> Control: severity -1 important
> Control: retitle -1 sendxmpp: sendxmpp can't send message with TLS/SSL 
> without passing -tls-ca-path
> 
> On Wed, 28 Jun 2017 00:09:12 +0200, Markus Gschwendt wrote:
> 
> > > > Maybe I miss something obvious, but IMHO the bug should 1/ be
> > > > reassigned to sendxmpp itself. Then the question is if sendxmpp
> > > > should
> > > > be patches actually (if so it might need to depend on
> > > > ca-certificates), or "just" document when
> > > > -tls-ca-path="/etc/ssl/certs" needs to be passed.
> > If people don't like to use SSL (which i would consider as a bad idea
> > these days) they also don't want a dependency on ca-certificates. So it
> > should be a 'reccomended package'.
> 
> I think that's not really an option, as what we are seeing here, and
> that's the start of the bug report, is tjat there are servers which
> enforce TLS/SSL.
> (But maybe I'm wrong here.)

Net::XMPP::Client defaulting to ssl=0, tls=0 in itself is already a
very bad idea today. Most public servers should be requiring at
least StartTLS, so these defaults pretty much break connecting to
most servers.
Still, a common pattern in Debian appears to be only Recommending:
ca-certificates, so that'd still be alright, I think.

> > > Ack, AFAICS Net::XMPP fixed a bug (ignoring the path to the certs)
> > > and this triggered the necessity for sendxmpp to set it (by the user
> > > or in the code). 
> > I'd like to have the default set in Net::XMPP debian package to have it
> > available in several applications which use this library.
> 
> I don't see a place of/for default values there, and I still think
> it's the wrong place.

Net::XMPP::Client's new appears to set defaults. That might be a
good place?

> Net::XMPP::Connection offers a Connect() method (which is used by
> sendxmpp [0]) which optionally offers to set some TLS/SSL parameters.
> They can also be left out but saying "yes we want TLS/SSL but we
> don't tell you were to find the certs", as sendxmpp does, breaks
> later in the underlying XML::Stream.
> 
> Or in other words: I think sendxmpp is just using
> Net::XMPP::Connection wrong.

As said above, defaulting TLS to off is a bad idea already.

OTOH, XML::Stream then defaults to verifying certificates, if TLS is
on, but does not provide a default where to find any certificates.

Having every user of Net::XMPP (or XML::Stream) supply the path
to the OS-provided default certificate store is rather silly in my
opinion.

> > Maybe in sendxmpp too.
> 
> I'm still sure that it belongs there because it is sendxmpp which
> sets tls-ca-path explicitly to an empty value which then causes
> havoc.

That looks bad in sendxmpp, but comparing the code I pasted above,
it also won't work with nothing passed, in which case sane defaults
should apply.

> [..]

> Conclusion:
> So far we only see problems with sendxmpp; sendxmpp is not broken
> (manually setting the parameters works) but is sub-optimal: it would
> profit from either setting a default path or not setting an empty
> path (!). And the fix is easy as well.
> 
> Therefore I'm now reassigning the bug to sendxmpp and lowering the
> severity.

I'd consider cloning this bug to libnet-xmpp-perl or
libxml-stream-perl, raising severity, because of the upgrade
breakage.

Thoughts, objections?

Thanks,
Chris

Reply via email to