Project

General

Profile

Cannot use custom SSLContext for self-signed certificate

Natale Vinto
Added over 4 years ago

Hi,

I'm trying to use TLS with self-signed certificates on Tigase 5.3.0-b3609 and fully qualified domain name setup in /etc/hosts (so not a public DNS) but it looks like the server ends up the connection.

I'm using Smack library, that with the same server was working with version 3.x, but now with latest 4.0.4 I got the connection closed. The new client library fixed a known vulnerability but I was writing here to understand if the issue cames from the missing hostname veryfing from the client or if there's something that the server would expect and is missing by the client.

Here the snippet of the client code:

    SSLContext sslContext = null;
        TrustManager tm = null;


        try {
            sslContext = SSLContext.getInstance("TLS");
             if (!trust) {
                    tm = new X509TrustManager() {              
                    @Override
                    public void checkClientTrusted(X509Certificate[] chain,
                            String authType) throws CertificateException {
                    }

                    @Override
                    public void checkServerTrusted(X509Certificate[] chain,
                            String authType) throws CertificateException {
                    }

                    @Override
                    public X509Certificate[] getAcceptedIssuers() {
                        return null;
                    }
                };

             sslContext.init(null, new TrustManager[]{tm}, new java.security.SecureRandom());
             ConnectionConfiguration config = new ConnectionConfiguration("1.2.3.4", 5222, "sub.domain.net"); // hostname as IP, port, service name 
                     config.setCustomSSLContext(sslContext);
                     config.setSocketFactory(sslContext.getSocketFactory());

what I get on client is:

javax.net.ssl.SSLException: Connection closed by peer
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:405)
at com.android.org.conscrypt.OpenSSLSocketImpl$SSLInputStream.<init>(OpenSSLSocketImpl.java:661)
at com.android.org.conscrypt.OpenSSLSocketImpl.getInputStream(OpenSSLSocketImpl.java:632)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.initReaderAndWriter(XMPPTCPConnection.java:507)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.initConnection(XMPPTCPConnection.java:457)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.connectUsingConfiguration(XMPPTCPConnection.java:440)
at org.jivesoftware.smack.tcp.XMPPTCPConnection.connectInternal(XMPPTCPConnection.java:811)
at org.jivesoftware.smack.XMPPConnection.connect(XMPPConnection.java:396)

and from server log:

2014-09-03 08:59:26.010 [ConnectionOpenThread]  ConnectionManager$ConnectionListenerImpl.accept()  FINEST: Accept called for service: null@null
2014-09-03 08:59:26.010 [ConnectionOpenThread]  ConnectionManager.serviceStarted()  FINER: [[c2s]] Connection started: null, type: accept, Socket: nullSocket[addr=/1.2.3.4,port=51395,localport=5222], jid: null
2014-09-03 08:59:26.023 [pool-10-thread-5]  StreamManagementIOProcessor.serviceStopped()  FINEST: c2s@sub.domain.net/10.0.0.1_5222_1.2.3.4_51395, type: accept, Socket: c2s@sub.domain.net/10.0.0.1_5222_1.2.3.4_51395 Socket[addr=/1.2.3.4,port=51395,localport=5222], jid: null, service stopped - StreamManagement disabled
2014-09-03 08:59:26.023 [pool-10-thread-5]  ConnectionManager.serviceStopped()  FINER:  [[c2s]] Connection stopped: c2s@sub.domain.net/10.0.0.1_5222_1.2.3.4_51395, type: accept, Socket: c2s@sub.domain.net/10.0.0.1_5222_1.2.3.4_51395 Socket[unconnected], jid: null
2014-09-03 08:59:26.024 [pool-10-thread-5]  ClientConnectionManager.xmppStreamClosed()  FINER: Stream closed: c2s@sub.domain.net/10.0.0.1_5222_1.2.3.4_51395
2014-09-03 08:59:26.024 [pool-10-thread-5]  StreamManagementIOProcessor.serviceStopped()  FINEST: c2s@sub.domain.net/10.0.0.1_5222_1.2.3.4_51395, type: accept, Socket: c2s@sub.domain.net/10.0.0.1_5222_1.2.3.4_51395 Socket[unconnected], jid: null, service stopped - StreamManagement disabled


By the server side, why formally the ssl handshake fails?

Also, I see from this page that Tigase is mentioned as client library affected to that vulnerability, is it fixed or does it exist in jaxmpp2? How the server is involved, if it is?

Thanks


Replies (7)

Avatar?id=6023&size=32x32

Added by Artur Hefczyc TigaseTeam over 4 years ago

On the client side you show us code which attempts to connect to port 5223 but on the server side, you show us logs with connection opened on port 5222. It looks like there is some discrepancy here. Either you execute a different code for corresponding server logs or you show us wrong server logs for corresponding client code.

The vulnerability is already fixed and it only affected JaXMPP library, not the server side code.

Added by Natale Vinto over 4 years ago

Hi Artur,

yes I've modified the uncorrect 5223 value just after posting, maybe you got the email with the mistake, sorry for that, the port is definitely 5222.

What could be wrong for that scenario?

Avatar?id=6023&size=32x32

Added by Artur Hefczyc TigaseTeam over 4 years ago

To be honest, there is no indication in the server logs what could cause the connection closure. I do not know Smack library and it's API so I cannot comment on the code you provided.

From the exception on the client side, it seems to me, the client attempts to use SSL handshaking whereas the server expects TLS on port 5222.

Added by Natale Vinto over 4 years ago

Hi Artur,

where can I find a sample code of JaXMPP2 on a successful TLS negoziation between Tigase server and a client? Because in the code there is a javax.net.ssl.SSLContext with TLS and a

javax.net.ssl.X509TrustManager so they are JDK related classes library agnostic used in a well known way to accept self-signed certificates, then there is the specific API call but passing an SSLSocketFactory should be the general right way.

Avatar?id=6023&size=32x32

Added by Artur Hefczyc TigaseTeam over 4 years ago

Bartek, looks like we do not have any code examples for the library to use SSL/TLS connection. Could you please update the wiki page: https://projects.tigase.org/projects/jaxmpp2/wiki/Example_codes with a correct example and let us know?

Avatar?id=6098&size=32x32

Added by Bartosz Malkowski TigaseTeam over 4 years ago

JaXMPP is using TLS by default. SSL isn't supported.

Here is example how to add custom TrustManager to JaXMPP based client.

Added by Natale Vinto over 4 years ago

Thanks guys,

I could successfully test it.

    (1-7/7)