Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Google Talk s2s SSL configuration

From: Tim Brown <timb () nth-dimension org uk>
Date: Mon, 1 Oct 2012 20:18:43 +0100
Hi all,

I'm reporting this publicly since Google have not responded to my private 
enquiries dating back to February this year (#963055119 according to their 
security@ auto responder).

So I run a XMPP server and by default I demand a 256-bit cipher for my 
dialback peers:

<host xmpp="yes" tls="256"/>

However with Talk, I vaguely recall needing to set it explicitly per host to 
accept ciphers with 128 bit keys before it would work.  Anyway, I recently 
rebuilt my server and on the new server I no longer appear to be able to 
negotiate TLS with Talk at all.  (I'm not sure if my old server could in its 
final days either however TLS negotiation still works for other s2s dialback 
peers - such as jabber.org).  To get my server to talk to Talk I needed to 
set:

<host name="gmail.com" xmpp="yes" tls="yes"/>

which is opportunistic and which results in the following in my logs:

20120212T11:00:41: [notice] (s2s.jabber.nth-dimension.org.uk): connected to 
gmail.com (unencrypted, no cert, auth=db, stream=preXMPP, compression=none)

For reference I have manually validated that traffic to Talk is unencrypted.

It's possible that this is a problem at my end, but as I said earlier TLS 
appears to work fine with other peers.

Can anyone else confirm if this is expected behavior?  If that is the case, 
does anyone know if there a reason why TLS is not currently supported?  

Obviously the implications if I'm correct are that any traffic between a user on 
a privately operated XMPP server and a user on Talk are open to man in the 
middle attacks even without the cooperation of Google.

Tim
PS I am aware of discussions on various XMPP lists around this issue, but 
noone seems to have come up with a satisfactory answer.
-- 
Tim Brown
<mailto:timb () nth-dimension org uk>
<http://www.nth-dimension.org.uk/>

Attachment: signature.asc
Description: This is a digitally signed message part.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: