Skip to content

GitLab

  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • P python-nbxmpp
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 11
    • Issues 11
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 2
    • Merge requests 2
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Releases
  • Wiki
    • Wiki
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • gajim
  • python-nbxmpp
  • Issues
  • #16

Closed
Open
Created Jan 23, 2014 by fedor.brunner@fedor.brunner

Add SCRAM-SHA-1-PLUS authentication mechanisms

phenomenon

The current implementation of SSL/TLS in python-nbxmpp uses CA certificates for PKI mechanism. There is currently 141 CA certificates in cacerts.pem in Gajim, any of these CA can sign certificate which can used to do MiTM attack on any XMPP servers. There have been instances where Certificate Authorities have issued fraudulent certificates: Comodo DigiNotar TurkTrust

background analysis

The SCRAM-SHA-1-PLUS authentication mechanisms RFC 5802 supports channel binding to the TLS channel. So any tampering with TLS connection will cause authentication failure, allows to detect MiTM attack.

implementation recommendation

Server jabber.org supports SCRAM-SHA-1-PLUS authentication mechanisms, so it can be used for testing of the implementation.

SSL in Python 3.3 supports Channel binding data http://docs.python.org/3/library/ssl.html#ssl.SSLSocket.get_channel_binding

Assignee
Assign to
Time tracking