Not logged in. · Lost password · Register
Forum: MatriX RSS
Avatar
Michael Trinkies #1
Member since Feb 2017 · 6 posts
Group memberships: Members
Show profile · Link to this post
Subject: XMPP TLS negotiation
hey guys,

im developing a xmpp server at the moment.

I'm trying to implement XEP-0035 SSL/TLS Integration. The client is set to StartTls and the certificate is also set.

On the server while sending the StreamFeatures i'm using:

  1. var features = new StreamFeatures();
  2. features.StartTls = new StartTls();

The XEP-0035 say:

To begin the TLS negotiation, the client issues the STARTTLS command:

Example 3. STARTTLS request

C: <tls:starttls/>
   
When the server is ready to begin the TLS negotiation, it will close the XML stream, but will keep the underlying connection to the client open:

Example 4. STARTTLS response

S: </stream:stream>
   

But if I close the stream by sending "</stream:stream>" the connection is closed and nothing happens now.
How is the right way /how to fix it?

Thank you for your help

Sincerely
Michael Trinkies
This post was edited on 2017-02-01, 13:07 by Alex.
Avatar
Alex #2
Member since Feb 2003 · 4322 posts · Location: Germany
Group memberships: Administrators, Members
Show profile · Link to this post
The documentation you refer to is outdated. This is a very old spec which was used intermediate many years ago before the XMPP RFCs were published. The RFCs include the proper documentation.

StartTls is documented in RFC-6120

When the server supports TLS it advertises this when sending the stream features:

  1. <!-- server sends -->
  2. <stream:stream xmlns:stream='http://etherx.jabber.org/streams' version='1.0' from='ag-software.net' id='some-id'  xmlns='jabber:client'>
  3.  
  4. <stream:features>
  5.    <starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
  6. </stream:features>

Then the client sends the start Tls command to the server when it wants to secure the connection using TLS
  1. <!-- client sends -->
  2. <starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>

The server replies with the proceed element
  1. <!-- server sends -->
  2. <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>

now the client and the server upgrade the socket to Tls. Usually using the SslSTream in .NET with AuthenticateAsServer and AuthenticateAsClient.

Then after the Tls handshake is complete the clients sends a new Stream header to the server, which now is encrypted using Tls because the stream was upgraded to be secure. This is called a stream reset in XMPP. There is no stream footer send (/stream:stream>) which makes this a bit tricky in XMPP. But MatriX does all the hard work for you, you just need to call reset on your XmppStreamParser as shown in the server example.

  1. <!-- client sends -->
  2. <stream:stream xmlns:stream="http://etherx.jabber.org/streams" version="1.0" xmlns="jabber:client" to="ag-software.net">

Server will reply again with stream features. because we are on TLS now it does not advertise the Tls feature, but the Sasl mechanisms because authentication is next.

Alex
This post was edited 2 times, last on 2017-02-01, 13:29 by Alex.
Avatar
Michael Trinkies #3
Member since Feb 2017 · 6 posts
Group memberships: Members
Show profile · Link to this post
Wow thank you for the fast answer. This worked for me!
Avatar
Alex #4
Member since Feb 2003 · 4322 posts · Location: Germany
Group memberships: Administrators, Members
Show profile · Link to this post
great to hear.
Close Smaller – Larger + Reply to this post:
Verification code: VeriCode Please enter the word from the image into the text field below. (Type the letters only, lower case is okay.)
Smileys: :-) ;-) :-D :-p :blush: :cool: :rolleyes: :huh: :-/ <_< :-( :'( :#: :scared: 8-( :nuts: :-O
Special characters:
Forum: MatriX RSS