[jdev] self signed cert

DannyD daniel.m.devine at gmail.com
Tue May 3 18:36:51 UTC 2016


Having a self signed cert on the client and server is not only possible,
but perhaps the only way that you can avoid having your cert. subverted.

1) pin self signed cert, or your own certificate chain onto the client
application (i.e. make it part of the installable package, include it as an
asset)

2) When application is starting, create your own TrustStore with ONLY your
certificate as trusted.  Create your SSLContext or SSLSocketFactory from
this.  Be sure that your KeyStore / TrustStore ONLY has your certificates,
add them specifically and do not add the generic ones on the device, as
they may be compromised.

3) For Android devices, I used & recommend "SpongyCastle", as it fixes the
broken elements of the included "BouncyCastle" crypto libraries.

3) Add self signed cert to the server, and instruct it load this.

Now your client XMPP application ONLY trusts & can be decrypted by the
server that you've configured it to communicate with, and all the
communications are safe from eavesdropping.

With only your certificate, there's no way anyone can get the issuer to add
another compromised certificate without you knowing (i.e. NSL to your
'budget certificate provider', forcing them to assist L.E.).  You are in
control of the entire chain, you just need to supply them to the clients or
other servers you'd like to communicate with.





On Tue, May 3, 2016 at 11:10 AM, Tomasz Sterna <tomek at xiaoka.com> wrote:

> W dniu 03.05.2016, wto o godzinie 09∶40 -0700, użytkownik
> lists at lazygranch.com napisał:
> > I suspect you wouldn't want s2s to use a self signed cert, so
> > allowing two level of verification (c2s and s2s) sounds complex. You
> > fix one thing in software and you break something else.
>
> So, why would you allow self-signed on C2S?
>
> Why do you want to use encryption in the first place?
> So, no one is able to read the conversation, right?
> But self-signed cert does not give you this... Just a false illusion
> that you are protected from evesdropping.
> But self-signed does not protect you from man-in-the-middle attack, so
> basically still anyone able to tap the wire your transmission is going
> through is able to read it, with just slightly more effort.
>
>
> > I noticed the online documentation doesn't completely match the xml,
> > but there are enough comments in the xml that I could get close to
> > setting it up. It is just the certs that are confusing.
>
> Yeah. The real and up to date source of documentation are the comments
> in the configuration files.
>
>
> --
>  /o__
> (_<^' Practice is the best of all instructors.
>
>
> _______________________________________________
> JDev mailing list
> Info: http://mail.jabber.org/mailman/listinfo/jdev
> Unsubscribe: JDev-unsubscribe at jabber.org
> _______________________________________________
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20160503/ec59a9b2/attachment.html>


More information about the JDev mailing list