How can I do the work "complete TLS negotiation"

chinull

2007-04-30, 11:41 #1

Member since Apr 2007 · 11 posts
Group memberships: Members

Show profile ·

Link to this post

Subject: How can I do the work "complete TLS negotiation"

Hi, Alex
when I use the miniclient connect to wildfire is ok,but connect to the test server is can't complete.the debug message like this:

SEND: <stream:stream to='chinull' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0' xml:lang='zh-CN'>
RECV: <stream:stream xmlns:stream="http://etherx.jabber.org/streams" from="localhost" version="1.0" xml:lang="zh-cn" id="16df60b0" >
RECV: <stream:features xmlns:stream="http://etherx.jabber.org/streams"><register xmlns="http://jabber.org/features/iq-register" /><auth xmlns="http://jabber.org/features/iq-auth" /><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>PLAIN</mechanism><mechanism>DIGEST-MD5</mechanism></mechanisms><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls" /></stream:features>
SEND: <starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls" />
RECV: <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls" />

connecting end.//how can that be?

when I use pandion connect to the test server the result is

EVNT: Connecting to chinull
SENT: <?xml version="1.0"?>
SENT: <stream:stream to="chinull" xml:lang="zh-cn" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" version="1.0">
RECV: <stream:stream from="localhost" version="1.0" xml:lang="zh-cn" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" id="6bf31f61">
RECV: <stream:features xmlns:stream="http://etherx.jabber.org/streams"><register xmlns="http://jabber.org/features/iq-register"></register><auth xmlns="http://jabber.org/features/iq-auth"></auth><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>PLAIN</mechanism><mechanism>DIGEST-MD5</mechanism></mechanisms><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"></starttls></stream:features>
SENT: <starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
RECV: <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"></proceed>

I checked the RFC3920,what can I do in the test server to complete the step 6 ?

In RFC 3920
5.2. Narrative
...
   5. The receiving entity MUST reply with either a <proceed/> element
   or a <failure/> element qualified by the
   'urn:ietf:params:xml:ns:xmpp-tls' namespace. If the failure case
   occurs, the receiving entity MUST terminate both the XML stream
   and the underlying TCP connection. If the proceed case occurs,
   the entities MUST attempt to complete the TLS negotiation over
   the TCP connection and MUST NOT send any further XML data until
   the TLS negotiation is complete.

   6. The initiating entity and receiving entity attempt to complete a
   TLS negotiation in accordance with [TLS].

I do the work like "5.3. Client-to-Server Example" describled
but the "setp 6" should did anything?

   Step 6: Client and server attempt to complete TLS negotiation over
   the existing TCP connection.

Alex

2007-04-30, 18:34 #2

Member since Feb 2003 · 4317 posts · Location: Germany
Group memberships: Administrators, Members

Show profile ·

Link to this post

Hello chinull,

the test server is only a very very basic example which should show you how you can build a server using our SDK. But it far away from beeing a complete and working XMPP server.

To complete your code the server has to setup a server SSL stream here so that the client can execute StartTLS and secure the connection. There is a very good example in the MSDN library for SSL client & server sockets.

Alex

chinull

2007-05-02, 17:58 #3

Member since Apr 2007 · 11 posts
Group memberships: Members

Show profile ·

Link to this post

Subject: InvalidTokenException

thanks, after I did "complete TLS negotiation"
the client debug msg like this:
...
SEND: <starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls" />
RECV: <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls" />
SEND: <stream:stream to='chinull' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0' xml:lang='zh-CN'>
...
but when the server receive stream from client ,the InvalidTokenException occours.
what should I do to deal with the situation?

xml\xpnet\Encoding.cs
public TOK tokenizeContent(byte[] buf, int off, int end,
   ContentToken token)

      case BT_MALFORM:
      throw new InvalidTokenException(off);//step into here

buf[]=
      [0] 23 byte
      [1] 3 byte
      [2] 1 byte
      [3] 0 byte
      [4] 143 byte
      [5] 32 byte
      [6] 183 byte
      [7] 198 byte
      [8] 222 byte
      [9] 189 byte
      [10] 191 byte
      [11] 122 byte
      [12] 80 byte
      [13] 233 byte
      [14] 195 byte
      [15] 27 byte
      [16] 102 byte
      [17] 7 byte
      [18] 144 byte
      [19] 170 byte
      [20] 48 byte
      [21] 6 byte
      [22] 110 byte
      [23] 54 byte
      [24] 18 byte
      [25] 20 byte
      [26] 93 byte
      [27] 250 byte
      [28] 251 byte
      [29] 113 byte
      [30] 176 byte
      [31] 79 byte
      [32] 246 byte
      [33] 168 byte
      [34] 199 byte
      [35] 80 byte
      [36] 168 byte
      [37] 44 byte
      [38] 124 byte
      [39] 71 byte
      [40] 61 byte
      [41] 38 byte
      [42] 209 byte
      [43] 53 byte
      [44] 17 byte
      [45] 135 byte
      [46] 190 byte
      [47] 3 byte
      [48] 181 byte
      [49] 115 byte
      [50] 12 byte
      [51] 209 byte
      [52] 216 byte
      [53] 41 byte
      [54] 3 byte
      [55] 31 byte
      [56] 22 byte
      [57] 94 byte
      [58] 60 byte
      [59] 218 byte
      [60] 10 byte
      [61] 70 byte
      [62] 244 byte
      [63] 247 byte
      [64] 108 byte
      [65] 113 byte
      [66] 137 byte
      [67] 108 byte
      [68] 237 byte
      [69] 149 byte
      [70] 70 byte
      [71] 168 byte
      [72] 247 byte
      [73] 5 byte
      [74] 102 byte
      [75] 150 byte
      [76] 148 byte
      [77] 79 byte
      [78] 125 byte
      [79] 123 byte
      [80] 236 byte
      [81] 15 byte
      [82] 245 byte
      [83] 57 byte
      [84] 216 byte
      [85] 18 byte
      [86] 201 byte
      [87] 234 byte
      [88] 66 byte
      [89] 121 byte
      [90] 67 byte
      [91] 95 byte
      [92] 104 byte
      [93] 29 byte
      [94] 61 byte
      [95] 166 byte
      [96] 32 byte
      [97] 158 byte
      [98] 86 byte
      [99] 32 byte
      [100] 153 byte
      [101] 151 byte
      [102] 219 byte
      [103] 45 byte
      [104] 152 byte
      [105] 4 byte
      [106] 106 byte
      [107] 180 byte
      [108] 122 byte
      [109] 38 byte
      [110] 163 byte
      [111] 48 byte
      [112] 197 byte
      [113] 30 byte
      [114] 141 byte
      [115] 175 byte
      [116] 96 byte
      [117] 137 byte
      [118] 87 byte
      [119] 48 byte
      [120] 5 byte
      [121] 238 byte
      [122] 57 byte
      [123] 85 byte
      [124] 93 byte
      [125] 45 byte
      [126] 98 byte
      [127] 250 byte
      [128] 153 byte
      [129] 114 byte
      [130] 86 byte
      [131] 155 byte
      [132] 206 byte
      [133] 49 byte
      [134] 206 byte
      [135] 97 byte
      [136] 43 byte
      [137] 130 byte
      [138] 66 byte
      [139] 58 byte
      [140] 89 byte
      [141] 216 byte
      [142] 66 byte
      [143] 168 byte
      [144] 108 byte
      [145] 151 byte
      [146] 113 byte
      [147] 62 byte

off = 0
end = 148
token =
- attNameEnd {??:[8]} int[]
      [0] 0 int
      [1] 0 int
      [2] 0 int
      [3] 0 int
      [4] 0 int
      [5] 0 int
      [6] 0 int
      [7] 0 int
- attNameStart {??:[8]} int[]
      [0] 0 int
      [1] 0 int
      [2] 0 int
      [3] 0 int
      [4] 0 int
      [5] 0 int
      [6] 0 int
      [7] 0 int
- attNormalized {??:[8]} bool[]
      [0] false bool
      [1] false bool
      [2] false bool
      [3] false bool
      [4] false bool
      [5] false bool
      [6] false bool
      [7] false bool
- attValueEnd {??:[8]} int[]
      [0] 0 int
      [1] 0 int
      [2] 0 int
      [3] 0 int
      [4] 0 int
      [5] 0 int
      [6] 0 int
      [7] 0 int
- attValueStart {??:[8]} int[]
      [0] 0 int
      [1] 0 int
      [2] 0 int
      [3] 0 int
      [4] 0 int
      [5] 0 int
      [6] 0 int
      [7] 0 int

Alex

2007-05-02, 19:54 #4

Member since Feb 2003 · 4317 posts · Location: Germany
Group memberships: Administrators, Members

Show profile ·

Link to this post

there must be something wrong with your code then.
Do you have the string representation of the bytes in your post?
Do you push the decrypted bytes to the xml parser?

Alex

chinull

2007-05-03, 03:24 #5

Member since Apr 2007 · 11 posts
Group memberships: Members

Show profile ·

Link to this post

Hi,Alex
SEND: <starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls" />
RECV: <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls" />
SEND: <stream:stream to='chinull' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0' xml:lang='zh-CN'>

after client sends this msg, the server trigger XmppServerConnection.ReadCallback

public void ReadCallback(IAsyncResult ar)
{
    // Retrieve the state object and the handler socket
    // from the asynchronous state object

    // Read data from the client socket.
      int bytesRead = 0;
      try
      {
   bytesRead = m_Sock.EndReceive(ar);
      }
      catch (Exception ex)
      {
      Console.WriteLine(ex.Message);
      }

    if (bytesRead > 0)
    {
      //any work should me do to change the encrypte bytes to decrypted bytes here
      streamParser.Push(buffer, 0, bytesRead);//Error occours here, How can I set the encrypt bytes to decrypted bytes

      // Not all data received. Get more.
      m_Sock.BeginReceive(buffer, 0, BUFFERSIZE, 0, new AsyncCallback(ReadCallback), null);
    }
    else
    {
      m_Sock.Shutdown(SocketShutdown.Both);
      m_Sock.Close();
    }
}

Jabberer 2007-05-03, 09:02 #6

Member since Feb 2006 · 249 posts
Group memberships: Members

Show profile ·

Link to this post

In reply to post #1

After TLS is established you have to switch to a new stream.
The socket reads the data from a stream. After StartTls you have set the stream to the SSL stream which encrypts and decrypts the data automatically. Take a look at the code in ClientSocket.cs, there you can see how handle this on the client side and you can see the 2 different streams.

Software Developer
AG-Software

chinull

2007-05-03, 12:07 #7

Member since Apr 2007 · 11 posts
Group memberships: Members

Show profile ·

Link to this post

//SEND: <stream:stream to='sales' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0' xml:lang='zh-CN'>
ReadMessage(sslStream);

    public void SSLReadCallback(IAsyncResult ar)
      {

      // Read data from the server socket.
      int bytesRead = 0;
      try
      {
      bytesRead = m_NetworkStream.EndRead(ar);//148
      }
      catch (Exception ex)
      {
      Console.WriteLine(ex.Message);
      }

      if (bytesRead > 0 && m_NetworkStream != null && m_NetworkStream.CanRead)
      {
      // Use Decoder class to convert from bytes to UTF8
      // in case a character spans two buffers.
      Decoder decoder = Encoding.UTF8.GetDecoder();
      char[] chars = new char[decoder.GetCharCount(buffer, 0, bytesRead)];//74
      decoder.GetChars(buffer, 0, bytesRead, chars, 0);

      streamParser.Push(buffer, 0, bytesRead);

      // Not all data received. Get more.
      m_NetworkStream.BeginRead(buffer, 0, BUFFERSIZE, new AsyncCallback(SSLReadCallback), null);
      }
      else
      {
      m_NetworkStream.Close();
      m_Sock.Shutdown(SocketShutdown.Both);
      m_Sock.Close();
      }
      }
chars =
   [0] 23 '�' char
      [1] 3 '�' char
      [2] 1 '�' char
      [3] 0 '\0' char
      [4] 94 '^' char
      [5] 97 'a' char
      [6] 124 '|' char
      [7] 56 '8' char
      [8] 81 'Q' char
      [9] 52 '4' char
      [10] 54 '6' char
      [11] 36 '$' char
      [12] 50 '2' char
      [13] 25 '�' char
      [14] 111 'o' char
      [15] 31 '�' char
      [16] 37 '%' char
      [17] 67 'C' char
      [18] 122 'z' char
      [19] 687 '?' char
      [20] 18 '�' char
      [21] 107 'k' char
      [22] 1094 '?' char
      [23] 44 ',' char
      [24] 53 '5' char
      [25] 1651 '?' char
      [26] 3 '�' char
      [27] 31 '�' char
      [28] 81 'Q' char
      [29] 26 '�' char
      [30] 37 '%' char
      [31] 60 '<' char
      [32] 651 '?' char
      [33] 68 'D' char
      [34] 54 '6' char
      [35] 17 '�' char
      [36] 126 '~' char
      [37] 60 '<' char
      [38] 66 'B' char
      [39] 19 '�' char
      [40] 5 '�' char
      [41] 46 '.' char
      [42] 38 '&' char
      [43] 17 '�' char
      [44] 15 '�' char
      [45] 73 'I' char
      [46] 860 '?' char
      [47] 90 'Z' char
      [48] 104 'h' char
      [49] 126 '~' char
      [50] 7 '\a' char
      [51] 11 '\v' char
      [52] 15 '�' char
      [53] 27 '�' char
      [54] 41 ')' char
      [55] 19 '�' char
      [56] 48 '0' char
      [57] 68 'D' char
      [58] 780 '?' char
      [59] 92 '\\' char
      [60] 90 'Z' char
      [61] 40 '(' char
      [62] 62 '>' char
      [63] 27 '�' char
      [64] 27 '�' char
      [65] 7 '\a' char
      [66] 105 'i' char
      [67] 115 's' char
      [68] 19 '�' char
      [69] 38 '&' char
      [70] 72 'H' char
      [71] 24 '�' char
      [72] 4 '�' char
      [73] 68 'D' char

      private string ReadMessage(SslStream sslStream)
      {
      // Read the message sent by the client.
      // The client signals the end of the message using the
      // "<EOF>" marker.
      byte[] buffer = new byte[2048];
      StringBuilder messageData = new StringBuilder();
      int bytes = -1;
      do
      {
      // Read the client's test message.
      bytes = sslStream.Read(buffer, 0, buffer.Length);//127

      // Use Decoder class to convert from bytes to UTF8
      // in case a character spans two buffers.
      Decoder decoder = Encoding.UTF8.GetDecoder();
      char[] chars = new char[decoder.GetCharCount(buffer, 0, bytes)];//127
      decoder.GetChars(buffer, 0, bytes, chars, 0);
      messageData.Append(chars);
      // Check for EOF or an empty message.
      //if (messageData.ToString().IndexOf("<EOF>") != -1)
      //{
      // break;
      //}
      } while (bytes != 0);

      return messageData.ToString();
      }
chars =
      [0] 60 '<' char
      [1] 115 's' char
      [2] 116 't' char
      [3] 114 'r' char
      [4] 101 'e' char
      [5] 97 'a' char
      [6] 109 'm' char
      [7] 58 ':' char
      [8] 115 's' char
      [9] 116 't' char
      [10] 114 'r' char
      [11] 101 'e' char
      [12] 97 'a' char
      [13] 109 'm' char
      [14] 32 ' ' char
      [15] 116 't' char
      [16] 111 'o' char
      [17] 61 '=' char
      [18] 39 '\'' char
      [19] 115 's' char
      [20] 97 'a' char
      [21] 108 'l' char
      [22] 101 'e' char
      [23] 115 's' char
      [24] 39 '\'' char
      [25] 32 ' ' char
      [26] 120 'x' char
      [27] 109 'm' char
      [28] 108 'l' char
      [29] 110 'n' char
      [30] 115 's' char
      [31] 61 '=' char
      [32] 39 '\'' char
      [33] 106 'j' char
      [34] 97 'a' char
      [35] 98 'b' char
      [36] 98 'b' char
      [37] 101 'e' char
      [38] 114 'r' char
      [39] 58 ':' char
      [40] 99 'c' char
      [41] 108 'l' char
      [42] 105 'i' char
      [43] 101 'e' char
      [44] 110 'n' char
      [45] 116 't' char
      [46] 39 '\'' char
      [47] 32 ' ' char
      [48] 120 'x' char
      [49] 109 'm' char
      [50] 108 'l' char
      [51] 110 'n' char
      [52] 115 's' char
      [53] 58 ':' char
      [54] 115 's' char
      [55] 116 't' char
      [56] 114 'r' char
      [57] 101 'e' char
      [58] 97 'a' char
      [59] 109 'm' char
      [60] 61 '=' char
      [61] 39 '\'' char
      [62] 104 'h' char
      [63] 116 't' char
      [64] 116 't' char
      [65] 112 'p' char
      [66] 58 ':' char
      [67] 47 '/' char
      [68] 47 '/' char
      [69] 101 'e' char
      [70] 116 't' char
      [71] 104 'h' char
      [72] 101 'e' char
      [73] 114 'r' char
      [74] 120 'x' char
      [75] 46 '.' char
      [76] 106 'j' char
      [77] 97 'a' char
      [78] 98 'b' char
      [79] 98 'b' char
      [80] 101 'e' char
      [81] 114 'r' char
      [82] 46 '.' char
      [83] 111 'o' char
      [84] 114 'r' char
      [85] 103 'g' char
      [86] 47 '/' char
      [87] 115 's' char
      [88] 116 't' char
      [89] 114 'r' char
      [90] 101 'e' char
      [91] 97 'a' char
      [92] 109 'm' char
      [93] 115 's' char
      [94] 39 '\'' char
      [95] 32 ' ' char
      [96] 118 'v' char
      [97] 101 'e' char
      [98] 114 'r' char
      [99] 115 's' char
      [100] 105 'i' char
      [101] 111 'o' char
      [102] 110 'n' char
      [103] 61 '=' char
      [104] 39 '\'' char
      [105] 49 '1' char
      [106] 46 '.' char
      [107] 48 '0' char
      [108] 39 '\'' char
      [109] 32 ' ' char
      [110] 120 'x' char
      [111] 109 'm' char
      [112] 108 'l' char
      [113] 58 ':' char
      [114] 108 'l' char
      [115] 97 'a' char
      [116] 110 'n' char
      [117] 103 'g' char
      [118] 61 '=' char
      [119] 39 '\'' char
      [120] 122 'z' char
      [121] 104 'h' char
      [122] 45 '-' char
      [123] 67 'C' char
      [124] 78 'N' char
      [125] 39 '\'' char
      [126] 62 '>' char

This post was edited on 2007-05-03, 14:12 by chinull.

Alex

2007-05-03, 13:04 #8

Member since Feb 2003 · 4317 posts · Location: Germany
Group memberships: Administrators, Members

Show profile ·

Link to this post

Hallo,

It's not there for servers, only for clients. But there is no big difference if you setup a SslStream on the server or on the client side. You have to write the code yourself.

If you need this code we can add this for you via the professional services we offer. If you are interested, please contact the AG-Software Sales at sales@ag-software.de

Alex

chinull

2007-05-03, 16:51 #9

Member since Apr 2007 · 11 posts
Group memberships: Members

Show profile ·

Link to this post

thank you, jabberer, now the ssl server is ok.
but when the server push the stream <stream:stream to='sales' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0' xml:lang='zh-CN'>
   streamParser.Push(buffer, 0, bytesRead);

      m_NetworkStream.BeginRead(buffer, 0, BUFFERSIZE, new AsyncCallback(ReadCallback), null);
why server have no response to client request?

in the xml\StreamParser.cs StartTag Method
...
      if (m_root == null)//m_root is not null,After step 7,should I set m_root to null?
      {
      m_root = newel;
      //FireOnDocumentStart(m_root);
      if (OnStreamStart!=null)
      OnStreamStart(this, m_root);
      }
      else
      {
      if (current != null)
      current.AddChild(newel);
      current = newel;
      }
...
how can I finish the TLS step 8?any information can give to me ?

chinull

2007-05-03, 18:00 #10

Member since Apr 2007 · 11 posts
Group memberships: Members

Show profile ·

Link to this post

After change the NetworkStream to SSLStream, I reset the server XmppSeverConnection's StreamParser,then is ok now.
thanks all
It's my a big step.

Alex

2007-05-05, 10:26 #11

Member since Feb 2003 · 4317 posts · Location: Germany
Group memberships: Administrators, Members

Show profile ·

Link to this post

Hallo,

would be cool if you can post your code. It may be useful for other developers as well.

Alex