Not logged in. · Lost password · Register
Forum: MatriX RSS
Avatar
ccobarzan #1
Member since Jan 2017 · 5 posts
Group memberships: Members
Show profile · Link to this post
Subject: XMPP component TLS connection to server
Hi Alex,

I need to make a connection between a component to a XMPP server that supports TLS 1, 1.1 and 1.2 (the server is in an DMZ) and I need to ensure a secure connection between the component and the server. In my project I use MatriX (version 2.0.0.12) and I'm wandering if the connection between the Matrix component and a server is using TLS. If not, can you give me some ideas about how I could secure the connection using TLS?


Best regards
Avatar
Alex #2
Member since Feb 2003 · 4327 posts · Location: Germany
Group memberships: Administrators, Members
Show profile · Link to this post
Usually they are not encrypted. Component connections use the old extension XEP-0114: Jabber Component Protocol.
But different server software support different extensions to this protocol, or legacy Tls connections without the StartTls command.

  • Which XMPP server are using?
  • What are the capabilities of your server to secure component connection?
  • Can you post a log where the component connection gets initiated? Then we can see if the server advertises any specific features

Alex
Avatar
ccobarzan #3
Member since Jan 2017 · 5 posts
Group memberships: Members
Show profile · Link to this post
I'm trying to connect to a Tigase Server. They advertise that they accept connections using XEP-114 and XEP-225 and it's transparent for the server. Apparently the component chooses the protocol and the server should accept it.

The exchange begins with (hostname is the component name just for example):

  1. <stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:component:accept" from="hostname" id="acdfa3a8-bd44-4ddf-a368-e233bfc79d68" >

and I get a reply

  1. <handshake xmlns="jabber:component:accept" />

after which I send an IQ with

  1. <iq id='iq_id' type='set'><bind xmlns='urn:xmpp:component:0'><hostname>hostname</hostname></bind></iq>

and get back

  1. <iq
  2.  type="result"
  3.  id="iq_id" xmlns="jabber:component:accept">
  4.  <bind xmlns="urn:xmpp:component:0">
  5.     <hostname>hostname</hostname>
  6.  </bind>
  7. </iq>

Normally now I'm connected to the server using XEP-0225, but I still need to change the underlying transport protocol, no? Is there any possibility to do it while keeping the component code is place (so I do not need to rewrite the whole component code to work with a secured stream)?

I have made a connection also with a XmppClient, and then the server advertises some capabilities and I can make a TLS connection, but when using the XmppComponent I only get the above messages.

Any thought how I could secure the stream?

Regards,
Cosmin
This post was edited 2 times, last on 2017-01-26, 16:16 by Alex.
Avatar
Alex #4
Member since Feb 2003 · 4327 posts · Location: Germany
Group memberships: Administrators, Members
Show profile · Link to this post
MatriX is using XEP-0114 when you use the XmppComponent class. This extension does not support the StartTls extension. But usually server listen on a second separate port for Secure connections using the component protocol.

When this is also supported by Tigase then all you have to do is the follwoing:

  1. // Openfire uses this port for secure connections by default
  2. xmppComponent.Port = 5276;
  3. xmppComponent.OldStyleSsl = true;

XEP-0225 is deprecated and was never finalized, this is why its not available in MatriX. If you want to use this extensions you would have to roll your own XmppComponent class for this extensions, which should not be that complicated.

Alex
Avatar
ccobarzan #5
Member since Jan 2017 · 5 posts
Group memberships: Members
Show profile · Link to this post
Thank you for the reply.
I will try to search on which port Tigase accepts a secure connection.

Regards,
Cosmin
Avatar
Alex #6
Member since Feb 2003 · 4327 posts · Location: Germany
Group memberships: Administrators, Members
Show profile · Link to this post
great, let us know when you have more information.
Avatar
ccobarzan #7
Member since Jan 2017 · 5 posts
Group memberships: Members
Show profile · Link to this post
Hi again,

I tried to make a connection using

  1. xmppComponent.OldStyleSsl = true;

but I still have a rejected connection, event thought SSL is enabled on the server side on the port that I try to connect.
Here is the error that I get (caught by the Event handler):

  1. XmppComponent.OnError

System.IO.IOException: Authentication failed because the remote party has closed the transport stream.
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
at Matrix.Net.ClientSocket.DoStartSecurityLayer(SslProtocols protocol)

Do you have any ideea what I can do next to move forward with the connection? Do I need to have the server certificate installed on my machine to be able to authenticate as a client?

Best regards,
Cosmin Cobarzan
This post was edited 2 times, last on 2017-02-09, 15:42 by Alex.
Avatar
Alex #8
Member since Feb 2003 · 4327 posts · Location: Germany
Group memberships: Administrators, Members
Show profile · Link to this post
Do you have a valid trusted cert on your server for this component? Or is it self signed?
Have you tried to bypass the certificate validation as described here
https://www.ag-software.net/matrix-xmpp-sdk/matrix-develop…

Alex
Avatar
ccobarzan #9
Member since Jan 2017 · 5 posts
Group memberships: Members
Show profile · Link to this post
Hi Alex,

It turns out the server shuts down the connection before sending the certificate.
The solution would be to use TLS for component connection, but it needs to be initiated with StartTLS extension of XMPP (first negotiation of XMPP stream and then start of TLS encryption).
Can you tell me if with the OldStyleSSL property set, the component will reply to StartTls extension, if such message is received by the component? Will it carry out automatically the encryption of the stream at lower levels, so I could use the code of the component just as I do now, or would I be forced to rewrite all to component code to reply to StartTLS and handle by myself all encryption/description?

Thanks,
Cosmin Cobarzan
Avatar
Alex #10
Member since Feb 2003 · 4327 posts · Location: Germany
Group memberships: Administrators, Members
Show profile · Link to this post
Quote by ccobarzan:
It turns out the server shuts down the connection before sending the certificate.
The solution would be to use TLS for component connection, but it needs to be initiated with StartTLS extension of XMPP (first negotiation of XMPP stream and then start of TLS encryption).

OldStyle SSL/Tls is ussing a secure connection from the beginning on. Because of this is does not use the StartTls command.
When you use legacy SSL then a server usually listens on 2 different ports, one for legacy ssl and another port which accepts plain connection which gets upgraded later over the StartTls command.

The host/port combination you connect to seems not to be configured for legacy (old style) ssl/tls.

Quote by ccobarzan:
Can you tell me if with the OldStyleSSL property set, the component will reply to StartTls extension, if such message is received by the component? Will it carry out automatically the encryption of the stream at lower levels, so I could use the code of the component just as I do now, or would I be forced to rewrite all to component code to reply to StartTLS and handle by myself all encryption/description?

you have to fin out if your server can support legacy SSL/TLS, without the StartTls command.
If it doesn't you have to create your own component connection class and implement the StartTls command on this.
When you contact our support we can send you the full source code of the Component class, then you can implement the StartTls command. Its pretty simple.
or you give us access to your server, and we can check if we can implement the StartTls command for component connections.
Avatar
olivier #11
Member since Mar 2017 · 1 post
Group memberships: Members
Show profile · Link to this post
Hello

I am François Olivier from ALE international and we are in commercial relation with Ccobarzan for an XMPP project.

We have a support contract for the MatriX for .NET / Mono binary license including 1 year of upgrades
AG-Software.

I don't know how to contact the support.  could you indicate me Alex how i can?

Concerning the subject XMPP component TLS connection to server. The way we want explore is start TLS implementation. We want have an estimation of cost about an  implemention of  the StartTls command for component connections by Matrix support.

Thanks for information.
Avatar
Alex #12
Member since Feb 2003 · 4327 posts · Location: Germany
Group memberships: Administrators, Members
Show profile · Link to this post
You can contact support@ag-software.de
Close Smaller – Larger + Reply to this post:
Verification code: VeriCode Please enter the word from the image into the text field below. (Type the letters only, lower case is okay.)
Smileys: :-) ;-) :-D :-p :blush: :cool: :rolleyes: :huh: :-/ <_< :-( :'( :#: :scared: 8-( :nuts: :-O
Special characters:
Forum: MatriX RSS