search

l29ah / hsendxmpp

sendxmpp clone and drop-in replacement, sending XMPP messages via CLI
GNU Affero General Public License v3.0
7 stars 0 forks source link

accept self-signed certificate for onion domains #2

Closed nyxnor closed 2 years ago

nyxnor commented 2 years ago

Tor does not require certificates for encryption, but xmpp servers can provide self-signed ones.

Can you make it accept self-signed certificate?

Thank you for forking and continuing the work of sendxmpp, needed that.

l29ah commented 2 years ago

Please test the last commit and tell if it works for you.

nyxnor commented 2 years ago

SRV lookup does not work well with Tor, it must let the proxy resolve.

echo "worked" | torsocks ~/.cabal/bin/hsendxmpp -u user -p password -j somehostname.onion -v -n
Opening stream...
Performing SRV lookup...
No SRV result returned.
No SRV records, using fallback process.
hsendxmpp: Network.Socket.getAddrInfo (called with preferred socket type/protocol: Nothing, host name: Just "somehostname.onion", service name: Nothing): does not exist (Name or service not known)

my testing xmpp account user@4euyyzbylryi3vixl7ragye3tvfl5gvoug3s4vvls42hua3krztdddad.onion.

edit: added -n --no-tls-verify

l29ah commented 2 years ago

Check your DNS configuration. torsocks is a LD_PRELOAD kludge that won't work in a lot of cases, including statically linked binaries.

l29ah commented 2 years ago

Tried with my Tor netns setup, and it seems like --no-tls-verify works as i see some XML:

‰ torns ./dist-newstyle/build/x86_64-linux/ghc-9.0.1/hsendxmpp-0.1.2.6/x/hsendxmpp/build/hsendxmpp/hsendxmpp -u user -p password -j somehostname.onion -v -n <<< test
Opening stream...
Performing SRV lookup...
No SRV result returned.
No SRV records, using fallback process.
Connecting to 10.194.213.114:5222
Successfully connected to 10.194.213.114:5222
Acquired handle.
Setting NoBuffering mode on handle.
Starting stream...
Out: <stream:stream version="1.0" to="somehostname.onion" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams">
wrapIOException (streamSend) : Exception wrapped: <socket: 0>: hPutBuf: resource vanished (Broken pipe)
hsendxmpp: XmppIOException <socket: 0>: hPutBuf: resource vanished (Broken pipe)
CallStack (from HasCallStack):
  error, called at Main.hs:74:28 in main:Main

I have no clue why it beaks after, probably the logs of your server would tell more.

nyxnor commented 2 years ago

I am runnig profanity with torsocks using onion domain rn.

To make it accept the certificate, I had to connect with tls trust, this forces it to accept the cert, not dismiss it

TRUST: Add the current TLS certificate to manually trusted certificates.

And using tls disable fails because the server requires dns. So has to take into consideration the cert, and trust it.

Check your DNS configuration

there is nothing especial, nameserver 127.0.0.1

torsocks is a LD_PRELOAD kludge that won't work in a lot of cases, including statically linked binaries.

yes, a proxy option on hsendxmpp would be helpfull.

nyxnor commented 2 years ago

I have no clue why it beaks after, probably the logs of your server would tell more.

it does not make a connection, I can't see the client trying on logs. Where can I find this torns?

l29ah commented 2 years ago

I noticed i forgot to replace the address in your example, with the proper hidden service address i get the following result:

‰ torns ./dist-newstyle/build/x86_64-linux/ghc-9.0.1/hsendxmpp-0.1.2.6/x/hsendxmpp/build/hsendxmpp/hsendxmpp -u user -p password -j 4euyyzbylryi3vixl7ragye3tvfl5gvoug3s4vvls42hua3krztdddad.onion -v -n <<< test                                                                                                                                                                                                                                 
Opening stream...
Performing SRV lookup...
No SRV result returned.
No SRV records, using fallback process.
Connecting to 10.217.136.188:5222
Successfully connected to 10.217.136.188:5222
Acquired handle.
Setting NoBuffering mode on handle.
Starting stream...
Out: <stream:stream version="1.0" to="4euyyzbylryi3vixl7ragye3tvfl5gvoug3s4vvls42hua3krztdddad.onion" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams">
in: <?xml version='1.0'?><stream:stream from='4euyyzbylryi3vixl7ragye3tvfl5gvoug3s4vvls42hua3krztdddad.onion' xmlns:stream='http://etherx.jabber.org/streams' id='866e348c-9513-403e-ada8-3c1de0dbd7de' xmlns='jabber:client' xml:lang='en' version='1.0'><stream:features><starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'><required/></starttls></stream:features>
In: <?xml version='1.0'?><stream:stream from='4euyyzbylryi3vixl7ragye3tvfl5gvoug3s4vvls42hua3krztdddad.onion' xmlns:stream='http://etherx.jabber.org/streams' id='866e348c-9513-403e-ada8-3c1de0dbd7de' xmlns='jabber:client' xml:lang='en' version='1.0'><stream:features><starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'><required/></starttls></stream:features>.
Running StartTLS
Out: <starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
in: <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
In: <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>.
TLS with debug mode enabled.
Stream Secured.
Restarting stream...
Starting stream...
Out: <stream:stream version="1.0" to="4euyyzbylryi3vixl7ragye3tvfl5gvoug3s4vvls42hua3krztdddad.onion" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams">
in: <?xml version='1.0'?><stream:stream from='4euyyzbylryi3vixl7ragye3tvfl5gvoug3s4vvls42hua3krztdddad.onion' xmlns:stream='http://etherx.jabber.org/streams' id='f2f0eda3-7cdd-467c-9874-505b45849f6e' xmlns='jabber:client' xml:lang='en' version='1.0'><stream:features><mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><mechanism>SCRAM-SHA-1</mechanism><mechanism>PLAIN</mechanism></mechanisms></stream:features>
xmppSasl: Attempts to authenticate...
xmppSasl: Performing handler...
Out: <auth mechanism="SCRAM-SHA-1" xmlns="urn:ietf:params:xml:ns:xmpp-sasl">biwsbj11c2VyLHI9THFlR2lERHh4SFEvWDZZZ0hjQ2c=</auth>
in: <challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>cj1McWVHaUREeHhIUS9YNllnSGNDZzU4MTk5YTY0LTM0YmQtNDBhOS1iMzc0LWU3ZGM1YzhiMjk5OCxzPVpUVmxZV1JrWmpNdFptVXhOUzAwTm1KbUxXRm1ORFF0Wm1KaVpEbG1aRGd3TXpJeixpPTQwOTY=</challenge>
Out: <response xmlns="urn:ietf:params:xml:ns:xmpp-sasl">Yz1iaXdzLHI9THFlR2lERHh4SFEvWDZZZ0hjQ2c1ODE5OWE2NC0zNGJkLTQwYTktYjM3NC1lN2RjNWM4YjI5OTgscD1PYk9RUlBRVFAzWUVGQk1sZFlWTG5MR2lET0U9</response>
in: <failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'><not-authorized/><text>The response provided by the client doesn&apos;t match the one we calculated.</text></failure>
xmppSasl: AuthFailure encountered: AuthSaslFailure (SaslFailure {saslFailureCondition = SaslNotAuthorized, saslFailureText = Just (Nothing,"The response provided by the client doesn't match the one we calculated.")})
Closing stream after error
Closing stream
Sending closing tag
Waiting for stream to close
hsendxmpp: XmppAuthFailure (AuthSaslFailure (SaslFailure {saslFailureCondition = SaslNotAuthorized, saslFailureText = Just (Nothing,"The response provided by the client doesn't match the one we calculated.")}))
CallStack (from HasCallStack):
  error, called at Main.hs:74:28 in main:Main

There's no easy way to add SOCKS support to hsendxmpp since pontarius-xmpp doesn't support it. You'd better wrap around it with something, preferably smarter than LD_PRELOAD a library that expects a program utilizing the C standard library. For me, hsendxmpp under torsocks doesn't even try to open an internet socket (according to strace) so apparently it succeeds at hijacking getaddrinfo but fails to make sense afterwards. In case i have an ipv6 DNS address in my resolv.conf:

‰ torsocks ./dist-newstyle/build/x86_64-linux/ghc-9.0.1/hsendxmpp-0.1.2.6/x/hsendxmpp/build/hsendxmpp/hsendxmpp -u user -p password -j somehostname.onion -v -n <<< test             
Opening stream...
hsendxmpp: Network.Socket.getAddrInfo (called with preferred socket type/protocol: AddrInfo {addrFlags = [AI_ADDRCONFIG,AI_NUMERICHOST,AI_PASSIVE], addrFamily = AF_UNSPEC, addrSocketType = Datagram, addrProtocol = 0, addrAddress = 0.0.0.0:0, addrCanonName = Nothing}, host name: Just "2a00:d880:5:1ea::a85b", service name: Just "domain"): does not exist (Name or service not known)

Otherwise:

Opening stream...
Performing SRV lookup...
No SRV result returned.
No SRV records, using fallback process.
hsendxmpp: Network.Socket.getAddrInfo (called with preferred socket type/protocol: Nothing, host name: Just "somehostname.onion", service name: Nothing): does not exist (Name or service not known)

I don't know enough of workings of torsocks and the network package to understand how they interact, you may have better luck at https://github.com/haskell/network/issues

torns is just exec sudo /bin/ip netns exec tor sudo -u l29ah "$@" And the tor namespace is utilizing the following tor features to make it happen:

VirtualAddrNetworkIPv4 10.192.0.0/10
AutomapHostsOnResolve 1
nyxnor commented 2 years ago

ok, thank you for the time

https://github(dot)com/haskell/network/issues/525