Project

General

Profile

How to disable SASL external?

Justin Posey
Added about 5 years ago

Hi Tigase team. We are having trouble with a XMPP client after upgrading to Tigase 5.2.0. The client (tXMPP) does not strictly adhere to TLSv1.2.

TLSv1.1 RFC:

"If no suitable certificate is available, the client MUST send a certificate message containing no certificates"

TLSv1.2 RFC:

"If no suitable certificate is available, the client SHOULD send a certificate message containing no certificates"

More information is provided here: http://stackoverflow.com/questions/14875094/ssl-server-socket-want-auth-option

The tXMPP client does not send a certificate message containing no certificates, but it always tries to use TLSv1.2.

TLSWrapper controls the TLSEngine's choice to want client auth (client certificate):

if (!clientMode && wantClientAuth) {
    tlsEngine.setWantClientAuth(true);
}

wantClientAuth comes from ClientTrustManagerFactory. ClientTrustManagerFactory initializes "saslExternalAvailable" to true and there doesn't appear to be a way to set it to false. So, wantClientAuth is always true.

We kindly request that you add a way for us to disable saslExternalAvailable to be backward compatible with clients that do not send an empty certificate message. Thanks!


Replies (4)

Avatar?id=6098&size=32x32

Added by Bartosz Małkowski TigaseTeam about 5 years ago

saslExternalAvailable is true ONLY when you set c2s/clientCertCA= in init.properties.

Added by Justin Posey about 5 years ago

Hi Bartosz,

Looking at the code, I don't agree. :) saslExternalAvailable is initialized to be true when it is declared, and there is no place to set it to false. I think the bug is that saslExternalAvailable is initialized to be true when it should actually be initialized to false.

Avatar?id=6098&size=32x32

Added by Bartosz Małkowski TigaseTeam about 5 years ago

Pfew!

You scared me. I checked latest code and I doubted in my mental health. ;-)

    (1-4/4)