Nickx27 / libjingle

Automatically exported from code.google.com/p/libjingle
0 stars 0 forks source link

Disabling TLS #72

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?

XmppClientSettings xcs;
xcs.set_use_tls(false);
xcs.set_allow_plain(true);
...

What is the expected output?

The above code should disable TLS. 

What do you see instead?

XmppEngine hangs at the LOGINSTATE_STREAMSTART_SENT state during logging in.

What version of the product are you using? On what operating system?

libjingle 0.5, OSX 10.6

Proposed fix:

--- xmpp/xmpplogintask.cc   (revision 34)
+++ xmpp/xmpplogintask.cc   (working copy)
@@ -139,8 +139,8 @@
         if (!HandleFeatures(element))
           return Failure(XmppEngine::ERROR_VERSION);

-        // Use TLS if forced, or if available
-        if (pctx_->tls_needed_ || GetFeature(QN_TLS_STARTTLS) != NULL) {
+        // Use TLS if forced, and if available
+        if (pctx_->tls_needed_ && GetFeature(QN_TLS_STARTTLS) != NULL) {
           state_ = LOGINSTATE_TLS_INIT;
           continue;
         }

The original code does NOT completely disable TLS if the "starttls" feature is 
present on the server. The new code forces TLS to be disabled if 
xcs.set_use_tls(false).

Original issue reported on code.google.com by wang.wei...@gmail.com on 20 Oct 2010 at 9:43

GoogleCodeExporter commented 9 years ago
That's a good point.  I think what we could do is make use_tls in call_main.cc 
and xmppclientsettings.h into a tri-state of DISABLED/ENABLED/REQUIRED, much 
like we have in mediasessionclient.h for crypto.  We would also need to push 
that down to tls_needed in xmpplogintask.h and xmppengineimpl.cc.

This is pretty low priority for us, so I can't promise we'll get around to it, 
but if you'd like to make them and submit us a patch, I'd be more than happy to 
integrate it into the code base.

Original comment by pthatc...@google.com on 5 Nov 2010 at 12:05

GoogleCodeExporter commented 9 years ago

Original comment by jun...@google.com on 3 Dec 2010 at 1:37

GoogleCodeExporter commented 9 years ago
This is an obvious bug I think.

Original comment by triaphoo on 27 Sep 2011 at 8:14

GoogleCodeExporter commented 9 years ago

Original comment by jun...@google.com on 4 Oct 2011 at 6:47

GoogleCodeExporter commented 9 years ago

Original comment by jun...@google.com on 16 Nov 2011 at 7:18

GoogleCodeExporter commented 9 years ago

Original comment by jun...@google.com on 16 Nov 2011 at 7:18

GoogleCodeExporter commented 9 years ago
Fixed. It'll be in the next release.

Original comment by jun...@google.com on 1 Dec 2011 at 9:36

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
Now, on r101 (r100 was broken), I could login using jabber.org (and I believe 
now it is possible to login using a personal XMPP server as well) after 
disabling tls and allowing plain password. On r100 was added a new call example 
flag to allow plain password. So using --s=<server> --tls=disable --allowplain 
I believe it is possible to login on any server. Another way to login in any 
server without have to disable tls is to allow certificates of unknown CA, like 
I described on issue 195, comment #10.

Original comment by diego.cd...@gmail.com on 15 Dec 2011 at 12:29