Opened 10 years ago

Last modified 9 years ago

#139 new defect

Jabber does not verify the server’s SSL certificate

Reported by: andersk@mit.edu Owned by:
Priority: major Milestone:
Component: jabber Keywords:
Cc:

Description

XML::Stream creates all SSL connections with SSL_verify_mode=>0x00, so it never verifies the server’s SSL certificate, and any attacker can MITM the connection.

I also reported this to XML::Stream upstream, though we could patch BarnOwl’s embedded copy of XML::Stream if necessary.

Change History (3)

comment:1 Changed 10 years ago by andersk@mit.edu

XML::Stream upstream replies:

Anders,

Sorry for taking so long to get back to you.

Yes, indeed this is a problem and I will fix it immediately. I'll let you know when a fix has been committed to trunk.

comment:2 Changed 9 years ago by davidben@mit.edu

It appears upstream has added a fix now. I gather we need to pass a directory with root CAs to take advantage of this?

comment:3 Changed 9 years ago by andersk@mit.edu

This is fixed in the development versions (XML::Stream 1.23_02, Net::XMPP 1.02_1).

Annoyingly, because OpenSSL is stupid, we’ll need to figure out an ssl_ca_path to pass in. The right value is

  • Debian: /etc/ssl/certs or /etc/ssl/certs/ca-certificates.crt (/usr/lib/ssl is a symlink to /etc/ssl)
  • Fedora: /etc/pki/tls/certs or /etc/pki/tls/certs/ca-bundle.crt on Fedora
  • Other: who knows

There might be a generic way of finding the right directory from the OpenSSL library, but it sucks (see SSLeay_version(3)):

#include <openssl/crypto.h>
SSLeay_version(SSLEAY_DIR)

returns the string ‘OPENSSLDIR: "/usr/lib/ssl"’ or ‘OPENSSLDIR: "/etc/pki/tls"’. This does not appear to be exported via any existing Perl bindings.

Note: See TracTickets for help on using tickets.