verify server certicate
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Coccinella |
Fix Released
|
Wishlist
|
buzzdee |
Bug Description
Coccinella is not able to very the server SSL certitificate.
in jabber/JUI.tcl I see the following:
proc ::JUI::
variable jwapp
if {[llength $jwapp(
# security-high: SASL+TLS with a certificate signed by a trusted source
# security-medium: {SASL+TLS|TLS on separate port} with a certificate
# signed by a source that is not trusted (self-signed certificate)
# security-low: only SASL or no security at all
set any 0
set sasl [::Jabber::Jlib connect feature sasl]
set ssl [::Jabber::Jlib connect feature ssl]
set tls [::Jabber::Jlib connect feature tls]
set cert 0
set w $jwapp(w)
if {$sasl && $tls && $cert} {
# TRANSLATORS; code for these strings is not finished
set str [mc "The connection is secure"]
set image [::Theme:
set any 1
} elseif {($sasl && $tls) || $ssl} {
but when I manually specify to require a valid server certificate and provide a CA certificate in:
jabberlib/
proc jlib::tls_proceed {jlibname tag xmllist} {
upvar ${jlibname}::lib lib
upvar ${jlibname}::locals locals
Debug 2 "jlib::tls_proceed"
set sock $lib(sock)
# Make it a SSL connection.
if {[catch {
tls::import $sock -cafile "~/Documents/
-request 1 -server 0 -require 1 -ssl2 no -ssl3 yes -tls1 yes
} err]} {
close $sock
tls_finish $jlibname starttls-failure $err
}
then Coccinella is able to verify the certificate of the server.
The SSL Icon should be come green when the server certificate is verified.
The User should be able to specify a server CA certificate in the Preferences -> Network -> Certificates
This should work for both: SSL and TLS
Changed in coccinella: | |
assignee: | nobody → buzzdee (sebastia) |
description: | updated |
Changed in coccinella: | |
importance: | Medium → Wishlist |
Changed in coccinella: | |
status: | Fix Committed → Fix Released |
This bothered me since a long time, and it turned out implementing it was easier than anticipated ;)
svn version #2797 adds the check of the servers certificate.
How does it work:
1. in the Preferences, General, Network, Certificates Tab
- activate the ckeckbox "TLS CA certificate file"
- Browse to your CA certificate file (The certificate file should contain the whole certificate chain, from the Root CA, down to the CA that signed the server certificate.)
2. when login to the server either using TLS/SASL or SSL, and coccinella verified the Server certificate, then the connection to the server will be established, and the icon in the roster indicating the security of the connection turns green ;)
3. If the server certificate cannot be verified from Coccinella, then the connection to the server will fail, it will NOT fall back to a medium secure connection. If you do not want to verify the server certificate, then disable the checkbox option in the preferences.
Also the patch that was checked in to svn revision #2797 is attached for review. As this is a security related feature, intensive testing is necessary. So PLEASE TEST
Tested against ejabberd 2.1.3 using TLS/SASL and SSL connections.