Uploaded image for project: 'Openfire'
  1. Openfire
  2. OF-1957

If StartTLS is required, then no login mechanism should be offered until after TLS is negotiated

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 4.4.4
    • Fix Version/s: None
    • Component/s: TLS
    • Labels:
      None

      Description

      Currently, if StartTLS is required, then Openfire offers available login mechanisms before TLS is negotiated. This potentially allows users to supply credentials in plain text.

      C: <?xml version='1.0' ?>
         <stream:stream to='localhost' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>

      S: <?xml version='1.0' encoding='UTF-8'?>
      <stream:stream xmlns:stream='http://etherx.jabber.org/streams' xmlns="jabber:client" from="MY SERVER NAME" id="ID" xml:lang="en" version="1.0">
         <stream:features>
         <starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required/></starttls>
         <mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl">
         <mechanism>PLAIN</mechanism>
      </mechanisms>
      </stream:features>

       

      Login mechanisms should not be offered until after TLS is negotiated if TLS is required.

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            gdt Greg Thomas
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated: