tigase / siskin-im

(M) Public Project of Tigase Messenger for iOS devices based on Tigase Swift XMPP library.
GNU General Public License v3.0
176 stars 37 forks source link

Upload does not fully work #102

Open myzinsky opened 3 years ago

myzinsky commented 3 years ago

Describe the bug Upload of pictures does not work on siskin on my iPhone. On Beagle it works well.

The picture is uploaded and also the file is accepted by Ejabberd and stored correctly. However siskin is not submitting the according link to it.

Details (please complete the following information):

mrusme commented 2 years ago

Same issue here, I'm wondering whether that has something to do with the fact that I'm using a self-signed certificate (which I did trust so that Siskin could connect). This is the output on the server side:

2022-04-10 19:48:36.262640+00:00 [info] Got HTTP upload slot for xxx@xxx.lan/xxx (file: IMG_7439.png, size: 709944)
2022-04-10 19:48:36.279022+00:00 [info] (<0.804.0>) Accepted connection [::ffff:10.0.0.23]:58194 -> [::ffff:172.17.0.7]:5443

Even thought the server reports an accepted connection, Siskin reports an issue when trying to upload a photo.

hantu85 commented 2 years ago

@mrusme If you have accepted a self-signed certificate during XMPP connection establishment, then it is only accepted for establishing an XMPP connection for a particular account.

This means it is not trusted nor accepted for establishing the HTTPS connection required for HTTP File Upload to work correctly. This is not a bug, but how the app works.

Accepting self-signed SSL certificates for XMPP connections is part of the app, but was introduced to allow testing the app on the development servers which are not accessible from the internet. HTTP File Upload, on the other hand, should be accessible from the internet, as this should allow anyone to have a link to access the uploaded file. Having a self-signed certificate may forbid the recipient of a link from downloading a file and verifying HTTP server identity. Due to that, HTTP File Upload HTTP servers should have a valid SSL certificate.

Due to that, and the fact that many can acquire SSL certificates for HTTPS connections for free (ie. from LetsEncrypt), I think that this is how the app should work.

mrusme commented 2 years ago

@hantu85 in my case I'm using ejabberd internally, without access to the outside world. Assuming a company is setting up something like that inside their VPC, where no Let's Encrypt certificate could be issued, how would they go with sharing files through XMPP?

I understand the security impact of accepting a self-signed certificate and I guess one way to mitigate this issue is to install the company's CA on each device. However, I believe it would be nice if there was a big fat warning with an "I agree" checkmark that would allow people to accept self-signed certs for file uploads as well, in cases in which they might not be able to install the root CA on every machine due to BYOD.

hantu85 commented 2 years ago

@mrusme We may consider this in the future, but we will treat it as a low priority feature. We are open to PR with the implementation of this feature.