lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 1 Oct 2012 20:18:43 +0100
From: Tim Brown <timb@...-dimension.org.uk>
To: full-disclosure@...ts.grok.org.uk
Subject: Google Talk s2s SSL configuration

Hi all,

I'm reporting this publicly since Google have not responded to my private 
enquiries dating back to February this year (#963055119 according to their 
security@ auto responder).

So I run a XMPP server and by default I demand a 256-bit cipher for my 
dialback peers:

<host xmpp="yes" tls="256"/>

However with Talk, I vaguely recall needing to set it explicitly per host to 
accept ciphers with 128 bit keys before it would work.  Anyway, I recently 
rebuilt my server and on the new server I no longer appear to be able to 
negotiate TLS with Talk at all.  (I'm not sure if my old server could in its 
final days either however TLS negotiation still works for other s2s dialback 
peers - such as jabber.org).  To get my server to talk to Talk I needed to 
set:

<host name="gmail.com" xmpp="yes" tls="yes"/>

which is opportunistic and which results in the following in my logs:

20120212T11:00:41: [notice] (s2s.jabber.nth-dimension.org.uk): connected to 
gmail.com (unencrypted, no cert, auth=db, stream=preXMPP, compression=none)

For reference I have manually validated that traffic to Talk is unencrypted.

It's possible that this is a problem at my end, but as I said earlier TLS 
appears to work fine with other peers.

Can anyone else confirm if this is expected behavior?  If that is the case, 
does anyone know if there a reason why TLS is not currently supported?  

Obviously the implications if I'm correct are that any traffic between a user on 
a privately operated XMPP server and a user on Talk are open to man in the 
middle attacks even without the cooperation of Google.

Tim
PS I am aware of discussions on various XMPP lists around this issue, but 
noone seems to have come up with a satisfactory answer.
-- 
Tim Brown
<mailto:timb@...-dimension.org.uk>
<http://www.nth-dimension.org.uk/>

Download attachment "signature.asc " of type "application/pgp-signature" (837 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ