On Sun, 22 Nov 2015 03:21:12 +0100 Jan Klemkow <j.klem...@wemelug.de> wrote:
> Hey, > > I implemented STARTTLS. But there is a hard coded hack, that there is > no certificate verification at the moment. I have to find a way to give > options through sj to tlsc. But, I think that this is a good way to > handle this problem. Wow, you're fast. > After STARTTLS negotiation sj starts tlsc with its own arguments behind > the tlsc ones. So tlsc does the tls handshake and starts sj as it was > stated before. Ah, so I should let sj call tlsc instead of putting it on the command line. > Could you test the new state with your use cases? Sure. Here's what I did: 1. replace openssl with the archlinux experimental libressl package. 2. build tlsc. I have libressl and libbsd installed. Looks like I don't have these two functions: ERR_get_error ERR_error_string So, I commented out the error reporting code and proceeded =) 3. build sj. Oops, explicit_bzero doesn't exist... I guess it's an openbsd/freebsd thing? I replaced the calls with bzero (insecure; oh well). 4. Run program: % env | grep SJ SJ_USER=gnuman SJ_DIR=/home/matt/.xmpp SJ_SERVER=dukgo.com % tcpclient dukgo.com 5222 ./sj tlsc: tls_error: name `ec2-23-21-227-59.compute-1.amazonaws.com' not present in server certificate Is it trying to verify the certificate? I don't know how to override the check. I tend to treat xmpp ssl certificates like ssh host keys - store them and only worry if there's a mismatch. Are you developing this from openbsd? explicit_bzero appears to be fairly new, and FreeBSD only got it as of 11.0. It might make sense to do tls from within sj itself. Chaining it through tlsc seems to add complexity, not reduce it. Also, I think proper XMPP requires a few DNS lookups on SRV records to even know which server to initiate TCP with. > Thanks for reporting, > Jan You're welcome =) -- Matt Boswell
