Not logged in. · Lost password · Register
Forum: MatriX RSS
Avatar
johnm60 #1
Member since Jun 2010 · 32 posts
Group memberships: Members
Show profile · Link to this post
Subject: Using TLS
Hi Alex

I have been looking at setting a server to TLS. I am pretty sure I have got this working before, but I am now having problems and I am unsure where to start.

I have configured an Isode server to use TLS (with self-certified certs) and using Psi and Pidgin I can connect using TLS (both of which ask me to accept the certificate, as expected).

Using Matrix, I have set the the property StartTls and have implemented the code snippet that I have seen here before for acceptance of certificates. My code is:

client.Port = 5222;
client.Hostname = txtServer.Text;
client.XmppDomain = txtDomain.Text;
client.Username = txtUsername.Text;
client.Password = txtPassword.Text;
client.StartTls = checkBox1.Checked;
client.Open();

using the same values, the application connects correctly when StartTls is set to false, but never properly gets going when set to true. When set to "true", the diagnostic output looks like this:

[7036] SEND: <stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" to="acme.com" version="1.0" >
[7036] RECV: <stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="acme.com" id="23f30904d5624f4f" version="1.0" >
[7036] RECV: <stream:features xmlns:stream="http://etherx.jabber.org/streams">
[7036]   <starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls" />
[7036]   <mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl">
[7036]     <mechanism>SCRAM-SHA-1</mechanism>
[7036]     <mechanism>PLAIN</mechanism>
[7036]     <mechanism>NTLM</mechanism>
[7036]     <mechanism>GSSAPI</mechanism>
[7036]     <mechanism>GSS-SPNEGO</mechanism>
[7036]     <mechanism>DIGEST-MD5</mechanism>
[7036]     <mechanism>CRAM-MD5</mechanism>
[7036]   </mechanisms>
[7036]   <compression xmlns="http://jabber.org/features/compress">
[7036]     <method>zlib</method>
[7036]   </compression>
[7036]   <ver xmlns="urn:xmpp:features:rosterver">
[7036]     <optional />
[7036]   </ver>
[7036] </stream:features> THREAD 10
[7036] client_OnStreamFeatures <stream:features xmlns:stream="http://etherx.jabber.org/streams">
[7036]   <starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls" />
[7036]   <mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl">
[7036]     <mechanism>SCRAM-SHA-1</mechanism>
[7036]     <mechanism>PLAIN</mechanism>
[7036]     <mechanism>NTLM</mechanism>
[7036]     <mechanism>GSSAPI</mechanism>
[7036]     <mechanism>GSS-SPNEGO</mechanism>
[7036]     <mechanism>DIGEST-MD5</mechanism>
[7036]     <mechanism>CRAM-MD5</mechanism>
[7036]   </mechanisms>
[7036]   <compression xmlns="http://jabber.org/features/compress">
[7036]     <method>zlib</method>
[7036]   </compression>
[7036]   <ver xmlns="urn:xmpp:features:rosterver">
[7036]     <optional />
[7036]   </ver>
[7036] </stream:features>
[7036] SEND: <starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls" />
[7036] RECV: <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls" />
[7036] client_OnClose

This looks like the server was waiting for the client to carry on with authentication, but nothing happens. As I said earlier, I used your snippet for handling a self-signed cert, but this event never gets called.

I feel like I am missing something really obvious.

Regards
John
Avatar
Alex #2
Member since Feb 2003 · 4327 posts · Location: Germany
Group memberships: Administrators, Members
Show profile · Link to this post
are you subscribed to the ValidateCertificate handler?

You have to accept the certificate because self signed certs are untrusted.
  1. private void ValidateCertificate(CertificateEventArgs e)
  2. {
  3.    e.AcceptCertificate = true;   
  4. }
Avatar
johnm60 #3
Member since Jun 2010 · 32 posts
Group memberships: Members
Show profile · Link to this post
Hi Alex

Yes, I have that piece of code thanks. Since my post I have done some more testing and if I run the test harness on the server, then it works (correctly asking me to accept the certificate).

So this is looking like a ports or firewall issue. What I am struggling to understand is how Pidgin can connect, but my application cannot. I have used TCPView to verify that that Pidgin is on port 5222.

Any more thoughts?

Regards
john
Avatar
johnm60 #4
Member since Jun 2010 · 32 posts
Group memberships: Members
Show profile · Link to this post
More info. Looking at the logs that Pidgin generates:

16:03:40) account: Connecting to account fred.bloggs@breakdown-service.net/.
(16:03:40) connection: Connecting. gc = 04B73658
(16:03:40) dnsquery: Performing DNS lookup for 86.54.187.72
(16:03:40) dnsquery: IP resolved for 86.54.187.72
(16:03:40) proxy: Attempting connection to 86.54.187.72
(16:03:40) proxy: Connecting to 86.54.187.72:5222 with no proxy
(16:03:40) proxy: Connection in progress
(16:03:40) proxy: Connecting to 86.54.187.72:5222.
(16:03:40) proxy: Connected to 86.54.187.72:5222.
(16:03:40) jabber: Sending (fred.bloggs@breakdown-service.net/): <?xml version='1.0' ?>
(16:03:40) jabber: Sending (fred.bloggs@breakdown-service.net/): <stream:stream to='breakdown-service.net' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>
(16:03:40) jabber: Recv (688): <?xml version='1.0'?><stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' from='breakdown-service.net' id='eabfae4193e78636' version='1.0'><stream:features><starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/><mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><mechanism>SCRAM-SHA-1</mechanism><mechanism>PLAIN</mechanism><mechanism>NTLM</mechanism><mechanism>GSSAPI</mechanism><mechanism>GSS-SPNEGO</mechanism><mechanism>DIGEST-MD5</mechanism><mechanism>CRAM-MD5</mechanism></mechanisms><compression xmlns='http://jabber.org/features/compress'><method>zlib</method></compression><ver xmlns='urn:xmpp:features:rosterver'><optional/></ver></stream:features>
(16:03:40) jabber: Sending (fred.bloggs@breakdown-service.net/): <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
(16:03:40) jabber: Recv (50): <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
(16:03:40) nss: subject=CN=breakdown-service.net,CN=Servers,CN=Messaging Configuration,O=Breakdown Service issuer=CN=ca,O=Breakdown Service
(16:03:40) nss: subject=CN=ca,O=Breakdown Service issuer=CN=ca,O=Breakdown Service
(16:03:40) certificate/x509/tls_cached: Starting verify for 86.54.187.72
(16:03:40) certificate/x509/tls_cached: Checking for cached cert...
(16:03:40) certificate/x509/tls_cached: ...Found cached cert
(16:03:40) nss/x509: Loading certificate from C:\Users\John\AppData\Roaming\.purple\certificates\x509\tls_peers\86.54.187.72
(16:03:40) certificate/x509/tls_cached: Peer cert matched cached
(16:03:40) nss/x509: Exporting certificate to C:\Users\John\AppData\Roaming\.purple\certificates\x509\tls_peers\86.54.187.72
(16:03:40) util: Writing file C:\Users\John\AppData\Roaming\.purple\certificates\x509\tls_peers\86.54.187.72
(16:03:40) certificate: Successfully verified certificate for 86.54.187.72
(16:03:40) jabber: Sending (ssl) (fred.bloggs@breakdown-service.net/): <stream:stream to='breakdown-service.net' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>

When I compare this to the debug output from the same account info from my test app, I get:

[5604] SEND: <stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" to="breakdown-service.net" version="1.0" > THREAD 10
[5604] RECV: <stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="breakdown-service.net" id="77e040341c4e5ce0" version="1.0" > THREAD 10
[5604] RECV: <stream:features xmlns:stream="http://etherx.jabber.org/streams">
[5604]   <starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls" />
[5604]   <mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl">
[5604]     <mechanism>SCRAM-SHA-1</mechanism>
[5604]     <mechanism>PLAIN</mechanism>
[5604]     <mechanism>NTLM</mechanism>
[5604]     <mechanism>GSSAPI</mechanism>
[5604]     <mechanism>GSS-SPNEGO</mechanism>
[5604]     <mechanism>DIGEST-MD5</mechanism>
[5604]     <mechanism>CRAM-MD5</mechanism>
[5604]   </mechanisms>
[5604]   <compression xmlns="http://jabber.org/features/compress">
[5604]     <method>zlib</method>
[5604]   </compression>
[5604]   <ver xmlns="urn:xmpp:features:rosterver">
[5604]     <optional />
[5604]   </ver>
[5604] </stream:features> THREAD 10
[5604] client_OnStreamFeatures <stream:features xmlns:stream="http://etherx.jabber.org/streams">
[5604]   <starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls" />
[5604]   <mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl">
[5604]     <mechanism>SCRAM-SHA-1</mechanism>
[5604]     <mechanism>PLAIN</mechanism>
[5604]     <mechanism>NTLM</mechanism>
[5604]     <mechanism>GSSAPI</mechanism>
[5604]     <mechanism>GSS-SPNEGO</mechanism>
[5604]     <mechanism>DIGEST-MD5</mechanism>
[5604]     <mechanism>CRAM-MD5</mechanism>
[5604]   </mechanisms>
[5604]   <compression xmlns="http://jabber.org/features/compress">
[5604]     <method>zlib</method>
[5604]   </compression>
[5604]   <ver xmlns="urn:xmpp:features:rosterver">
[5604]     <optional />
[5604]   </ver>
[5604] </stream:features> THREAD 10
[5604] SEND: <starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls" /> THREAD 10
[5604] RECV: <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls" /> THREAD 10
[5604] client_OnClose  THREAD 10

This seems to me that Matrix is trying to check the client certificate (like Pidgin does), but then closes the connection because something is not right. I have an event handler on the OnValidCertificate event and this is never called.

Is there any more diagnostics that can be done?

Regards
john
Avatar
Alex #5
Member since Feb 2003 · 4327 posts · Location: Germany
Group memberships: Administrators, Members
Show profile · Link to this post
Quote by johnm60:
Is there any more diagnostics that can be done?
no, not in the binary version. MatriX is using the .NET SslStream classes. So I assume .NET does not like your certificate.

Alex
Avatar
johnm60 #6
Member since Jun 2010 · 32 posts
Group memberships: Members
Show profile · Link to this post
Hi Alex

You were right. I have just talked to Isode and they tell me that certain certificates are not liked by Windows 7 (the OS I am using). Having found this out, I just tried my test application on an XP virtual machine and it is more than happy!

Sorry to waste your time.

Regards
John
Avatar
joinvert #7
Member since Feb 2011 · 2 posts
Group memberships: Members
Show profile · Link to this post
OpenLDAP clients and servers are capable of using the Transport Layer Security (TLS) framework to provide integrity and confidentiality protections and to support LDAP authentication using the SASL EXTERNAL mechanism.
Friends dating| Free online chat
Close Smaller – Larger + Reply to this post:
Verification code: VeriCode Please enter the word from the image into the text field below. (Type the letters only, lower case is okay.)
Smileys: :-) ;-) :-D :-p :blush: :cool: :rolleyes: :huh: :-/ <_< :-( :'( :#: :scared: 8-( :nuts: :-O
Special characters:
Forum: MatriX RSS