[JDEV] SSL and jabbernaut

mark at mjwilcox.com mark at mjwilcox.com
Sun Jul 30 14:54:59 CDT 2000 

On 30 Jul 00, at 17:42, Max Horn wrote:

> >You have this procedure right (and at least the hooks for eventually
> >adding SSL are already there in Jabber, just nobody has
> >implemented it yet) :).
> 
> Actually, I've implemented SSL in Jabbernaut... but I do not verify 
> certificates yet. Mainly due to lack of time on my side, I have to 
> learn more about SSL & OpenSSL to learn how to do it. Thus, it's only 
> partly useful.
Well at least it would encrypt the transaction. You just wouldn't get 
absolute assurance that you're really talking to the jabber server 
you think you are.

> 
> >However, Stunnel works on UNIX and Windows ;).
> 
> Good. However, as long as server-to-server connections are *not* SSL 
> protected, SLL connections server only one purpose: to protecte the 
> password.
You're right.

> 
> SSL for Server-to-server is a very problematic issue, though. Either 
> we force to use *only* SSL connections, but this is unrealistic. Or 
> we allow both, but then we can as well not use SSL as well, because 
> the user can never know if his data is only submitted via a secure 
> route...
The proper route is to only use SSL. Once the RSA patent expires 
in the US in September, this will be easier to accomplish. The IETF 
is now not approving any new protocols that aren't secure.



> 
> 
> 
> >SSL is a much better solution because it's a known standard &
> >would encrypt the entire session, not just the password.
> 
> That is exactly my opinion :-)
> 
> 
> >If you're  using Jabber to do company meetings, you should want the entire
> >conversation encrypted, not just the password (then again people
> >make business decisions via email all of the time & that's not
> >usually encrypted ;).
> 
> True (both <g>).
> 
> 
> >It also would protect the password during user
> >registration, which digest authentication does not do (thus IMHO,
> >it's not really any more secure than traditional authentication
> >because it can be sniffed during registration)
> 
> Of course, this all is only true if we trust the certificate...
This is where the Public Key Infrastructure (PKI) begins to fall 
apart, because you can't really trust an environment where you 
don't have total control and in the Internet (or even a large Intranet), 
it's impossible to have total control.

Figuring out how to add trust mechanisms into the next generation 
of the Internet will be a key area of research.

> 
> 
> >Eventually if SSL support was built in (e.g. not just stunnel)  to the
> >client, then you could add in SSL client certificates which would
> >allow for a much more secure form of authentication.
> 
> Hm, does one have to pay license if one wants to ship the VeriSign 
> etc. master certs with an app (so one can verify certs) ??
I don't think so. It only costs money to get a Verisign signed cert. 
The last time I checked openSSL included the master certs for 
most of the major CAs.


> As I stated above, I added SSL (using OpenSSL 0.9.5a) to my client. 
> In fact, to do this, I reactived the (abandoned) Macintosh port of 
> OpenSSL :-)
> But I lack knowledge of SSL :-(. I will have to dig into the docs...
While I'm not an SSL programmer, I have a pretty good 
understanding of the protocol (I've been issuing & managing SSL 
certificats for nearly 4 years). If you have questions, you can send 
them to me and I'll try to help.

BTW It would really rock if you could get Stunnel to compile on a 
Mac. :) 

> 
> BTW, one does have to pay a yearly fee for VeriSign etc. certs, 
> right? Hmm... Well, I suppose I need to have a DB, that stores certs. 
Yes.

> When I contact a server, it sends me its cert. I check it against my 
> DB. If it's not contained there, I ask the user if he wants to trust 
> it.
You only need to keep a copy of the CAs. 

I have the basic SSL outline at 
http://developer.iplanet.com/viewsource/wilcox_protect/wilcox_prote
ct.html

There's also a good book "SSL and TLS Essentials" by Stepehn 
Thomas. 

You might also want to look at the IO::SSL module in Perl because 
it has the verify code in it, which is all that it sounds like you're 
missing.

Mark
> 
> 
> 
> Bye,
> 
> Max
> -- 
> -----------------------------------------------------------
> Max "The Black Fingolfin" Horn
> <mailto:max at quendi.de>
> <http://www.quendi.de> - please use my guestbook!
> 
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mailman.jabber.org/listinfo/jdev
> 
> 


Mark Wilcox
mark at mjwilcox.com
Got LDAP?

More information about the JDev mailing list