[Security] TLS Certificates Verification

Eric Rescorla ekr at rtfm.com
Wed Aug 20 08:53:17 CDT 2008

On Wed, Aug 20, 2008 at 2:07 AM, Dirk Meyer <dmeyer at tzi.de> wrote:
> Peter Saint-Andre wrote:
>> Greg Hudson wrote:
>>> On Tue, 2008-08-19 at 21:56 -0600, Peter Saint-Andre wrote:
>>>> It does? Negotiate a reliable transport, start an XML stream, and
>>>> upgrade the stream to encrypted via STARTTLS, just like we
>>>> currently do for client-to-server streams. How is that enormously
>>>> complex? Granted, the reliable transport might not be raw TCP -- it
>>>> might be a direct or mediated bytestream (XEP-0065), an in-band
>>>> bytestream (XEP-0047), or some other reliable transport. But I
>>>> don't see how that makes the complexity enormous.
>>> If existing TLS libraries can be used for XTLS, then my argument
>>> collapses, since those same libraries are already used for channel
>>> security.  I'm skeptical that it will work; perhaps a proof of concept
>>> is in order.
>> I'm all for that. Unfortunately I'm just about the worst coder in the
>> XMPP community, so I need to defer to others. I think Dirk Meyer has
>> been working on this, but I'm not sure how far he's gotten.
> Yes, I have some python code doing this. It is not public yet because
> it needs some cleanup and some more docs. If you want I can upload a
> tgz somewhere. It works very well. About in-band bytestreams: I just
> connect the IBB with a unix domain socket. So the TLS lib reads from a
> socket like it is used to be.

BTW, most TLS stacks that I'm familiar with let you replace the I/O
with non-sockets. I know OPenSSL lets you provide any BIO you


The difference here is only that the
> implementation must perform different validations (that part is what
> the discussion is about) and that the stream must be connected to one
> remote client. And the client needs to support some server code like
> being the server and answering a <stream> request. But the later is
> similar to link-local messaging. So my implementation simply connects
> the IBB with a unix domain socket and after that the link-local part
> takes over. A client supporting link-local messaging does not need
> much updates.
> Dirk
> P.S.: 21 Mails over night, not bad :)
> --
> In the beginning was the word, and the word was content-type: text/plain

More information about the Security mailing list