Opened 14 years ago
Last modified 14 years ago
#139 new defect
Jabber does not verify the server’s SSL certificate
Reported by: | andersk@mit.edu | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | jabber | Keywords: | |
Cc: |
Description
XML::Stream creates all SSL connections with SSL_verify_mode=>0x00, so it never verifies the server’s SSL certificate, and any attacker can MITM the connection.
I also reported this to XML::Stream upstream, though we could patch BarnOwl’s embedded copy of XML::Stream if necessary.
Change History (3)
comment:1 Changed 14 years ago by andersk@mit.edu
comment:2 Changed 14 years ago by davidben@mit.edu
It appears upstream has added a fix now. I gather we need to pass a directory with root CAs to take advantage of this?
comment:3 Changed 14 years ago by andersk@mit.edu
This is fixed in the development versions (XML::Stream 1.23_02, Net::XMPP 1.02_1).
Annoyingly, because OpenSSL is stupid, we’ll need to figure out an ssl_ca_path to pass in. The right value is
- Debian: /etc/ssl/certs or /etc/ssl/certs/ca-certificates.crt (/usr/lib/ssl is a symlink to /etc/ssl)
- Fedora: /etc/pki/tls/certs or /etc/pki/tls/certs/ca-bundle.crt on Fedora
- Other: who knows
There might be a generic way of finding the right directory from the OpenSSL library, but it sucks (see SSLeay_version(3)):
#include <openssl/crypto.h> SSLeay_version(SSLEAY_DIR)
returns the string ‘OPENSSLDIR: "/usr/lib/ssl"’ or ‘OPENSSLDIR: "/etc/pki/tls"’. This does not appear to be exported via any existing Perl bindings.
XML::Stream upstream replies: