mailing list archives
Google Talk s2s SSL configuration
From: Tim Brown <timb () nth-dimension org uk>
Date: Mon, 1 Oct 2012 20:18:43 +0100
I'm reporting this publicly since Google have not responded to my private
enquiries dating back to February this year (#963055119 according to their
security@ auto responder).
So I run a XMPP server and by default I demand a 256-bit cipher for my
<host xmpp="yes" tls="256"/>
However with Talk, I vaguely recall needing to set it explicitly per host to
accept ciphers with 128 bit keys before it would work. Anyway, I recently
rebuilt my server and on the new server I no longer appear to be able to
negotiate TLS with Talk at all. (I'm not sure if my old server could in its
final days either however TLS negotiation still works for other s2s dialback
peers - such as jabber.org). To get my server to talk to Talk I needed to
<host name="gmail.com" xmpp="yes" tls="yes"/>
which is opportunistic and which results in the following in my logs:
20120212T11:00:41: [notice] (s2s.jabber.nth-dimension.org.uk): connected to
gmail.com (unencrypted, no cert, auth=db, stream=preXMPP, compression=none)
For reference I have manually validated that traffic to Talk is unencrypted.
It's possible that this is a problem at my end, but as I said earlier TLS
appears to work fine with other peers.
Can anyone else confirm if this is expected behavior? If that is the case,
does anyone know if there a reason why TLS is not currently supported?
Obviously the implications if I'm correct are that any traffic between a user on
a privately operated XMPP server and a user on Talk are open to man in the
middle attacks even without the cooperation of Google.
PS I am aware of discussions on various XMPP lists around this issue, but
noone seems to have come up with a satisfactory answer.
<mailto:timb () nth-dimension org uk>
Description: This is a digitally signed message part.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- Google Talk s2s SSL configuration Tim Brown (Oct 02)