I used a packet sniffer as you suggested and sadly I was able to see all packets, including the ones that came after the server said "proceed".
I then used a commercial im client and tried to sniff, and this one worked as expected. Everything after "proceed" was encrypted.
I don't get it. I wonder if this could be a platform issue (my application is based on flash player 8 so that's actionscript virtual machine) or if I misunderstood the tls plain authentication in the first place.
Here's my full comunication :
Client:
<?xml version="1.0"?><flash:stream to="myserver" xmlns="jabber:client" xmlns:flash="http://www.jabber.com/streams/flash" version="1.0">
Server:
<?xml version='1.0' encoding='UTF-8'?><flash:stream xmlns:flash="http://www.jabber.com/streams/flash" xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="myserver" id="77241f23" xml:lang="en" version="1.0"><stream:features><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"></starttls><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>CRAM-MD5</mechanism><mechanism>DIGEST-MD5</mechanism><mechanism>PLAIN</mechanism><mechanism>ANONYMOUS</mechanism></mechanisms><auth xmlns="http://jabber.org/features/iq-auth"/><register xmlns="http://jabber.org/features/iq-register"/></stream:features>
Client
<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>
Server
<proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
Client
<?xml version="1.0"?><flash:stream to="myserver" xmlns="jabber:client" xmlns:flash="http://www.jabber.com/streams/flash" version="1.0">
Server
<?xml version='1.0' encoding='UTF-8'?><flash:stream xmlns:flash="http://www.jabber.com/streams/flash" xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="myserver" id="77241f23" xml:lang="en" version="1.0"><stream:features><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"></starttls><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>CRAM-MD5</mechanism><mechanism>DIGEST-MD5</mechanism><mechanism>PLAIN</mechanism><mechanism>ANONYMOUS</mechanism></mechanisms><auth xmlns="http://jabber.org/features/iq-auth"/><register xmlns="http://jabber.org/features/iq-register"/></stream:features>
Client
<auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl'mechanism='PLAIN'>[Base64 stuff]</auth>
Server
<success xmlns="urn:ietf:params:xml:ns:xmpp-sasl"/>
Client
<?xml version="1.0"?><flash:stream to="myserver" xmlns="jabber:client" xmlns:flash="http://www.jabber.com/streams/flash" version="1.0">
Server
<?xml version='1.0' encoding='UTF-8'?><flash:stream xmlns:flash="http://www.jabber.com/streams/flash" xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:client" from="myserver" id="d1eecb8b" xml:lang="en" version="1.0"><stream:features><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"></starttls><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>CRAM-MD5</mechanism><mechanism>DIGEST-MD5</mechanism><mechanism>PLAIN</mechanism><mechanism>ANONYMOUS</mechanism></mechanisms><auth xmlns="http://jabber.org/features/iq-auth"/><register xmlns="http://jabber.org/features/iq-register"/></stream:features>
Client
<iq id="log_user_1" type="get"><query xmlns="jabber:iq:auth"><username>userName</username></query></iq>
Server
<iq type="result" id="log_user_1"><query xmlns="jabber:iq:auth"><username>userName</username><password/><digest/><resource/></query></iq>
etc etc
What am I doing wrong ?
Many thanks,
Adrian.
Norman Rasmussen <[EMAIL PROTECTED]> wrote:
If you're enabling TLS then it's secure as any https connection
(excepting the fact that certs are not checked correctly, etc).
If you're worried, try running tcpdump (or any other packet sniffer),
and check out the data that flows back and forth. You _should_ see
the initial xml stream, and the starttls request, but after that
everything should look encrypted.
--
- Norman Rasmussen
- Email: [EMAIL PROTECTED]
- Home page: http://norman.rasmussen.co.za/
Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates starting at 1¢/min.
