[Bug 39057] Can't connect to Oracle Jabber server
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Fri Aug 14 01:57:42 PDT 2015
https://bugs.freedesktop.org/show_bug.cgi?id=39057
Leonid Evdokimov <leon+freedesktop at darkk.net.ru> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |leon+freedesktop at darkk.net.
| |ru
--- Comment #19 from Leonid Evdokimov <leon+freedesktop at darkk.net.ru> ---
Created attachment 117676
--> https://bugs.freedesktop.org/attachment.cgi?id=117676&action=edit
patch for 0.18.3
I suggest following patch to be applied after improvements. Let me describe the
patch.
1) `id` generation is improved: predictable nonce is replaced with secure
random number
2) if stanza is sent to `our` server AND connection to `our` server is
TLS-protected, then `id` can't be sniffed
IMHO, these two points and the fact that spoofing() is called after checking
`id` match make dropping `from` checks for to-our-server stanzas secure enough.
I do not drop `from` check, but replace it with `privacy-cm.` prefix lookup to
make it clear, that it's workaround for buggy server.
There is possible improvement in `id` generation – trivial N-bit random string
may be replaced with ECB-encrypted nonce. nonce should be at least 64-bit in
this case and encryption key should be changed once per session. That will make
shift id reuse from `improbable` to `impossible`, but I'm not sure if
additional complexity makes sense.
I also think that `from` check can be safely dropped only on TLS-protected
connection. I don't know how to implement `is_tls(self)` as I do not understand
wocky library in-depth. I found no easy way to check if TLS-handshake is
completed. Can it be done?
I tested the patch with telepathy-gabble=0.18.3-0ubuntu0.1 and it seems to work
at first glance.
--
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
More information about the telepathy-bugs
mailing list