XMPP SSL client certificates

Michal Witkowski neuro at o2.pl
Wed Jul 29 10:57:37 EDT 2009 

Hi,

I've been working on implementing XEP-0178 compatible client2server SASL External 
authentication for jabberd2 (https://bugs.launchpad.net/jabberd2/+bug/405233). I've 
already tested this implementation with a pyXmpp Python XMPP library and I would like to 
implement SASL External authentication (based on TLS certificates) in Pidgin. While 
implementing SASL External negotiation is trivial, assigning client certificates to TLS 
connections isn't as simple in Purple code.

I took a short glimpse at the current structure of Pidgin and I see two approaches.

1. Make a client cert/client key field in PurpleAccount/PurpleConnection, which would be 
operated from the Account settings dialog box. Then somehow propagate the information (by 
possibly modifying other data structures) right up to ssl-gnutls and explicitly set the 
connection credentials using SSL_CTX_use_certificate_file and SSL_CTX_use_PrivateKey_file. 

This approach is a bit hackish, yet simple. The user could set the certificates per 
account explicitly, encouraging the feel that the certificate is not only used for SSL but 
also for auth. However, this approach would require some modifications to key data 
structures. Would this be a really bad thing or is it acceptable?

2. Another approach is to rely on PurpleCertificatePool for storing client certificates. 
This would require adding another statically (for example 'client_certs) created pool of 
certificates (next to 'tls_peers'). ssl-gnutls would then rely on 
(http://www.gnu.org/software/gnutls/manual/html_node/Using-a-callback-to-select-the-
certificate-to-use.html) a callback function to match the server-acceptable CA's against 
certificates in this pool. 

While elegant, this approach is complicated. PurpleCertificatePool, as far as I can see, 
doesn't support looking up certificates by issuer DN, only by subject DN. Support for 
issuer DN lookup would have to be added. Additonally, RSA key support is missing. I've 
tested the certificate manager by importing a PEM file containg a x509 cert with a RSA 
key. Only the x509 was read. That comes as no suprise, since ssl-gnutls only imports x509 
parts of datums. After scoping around I found that the certificate manager code is hard to 
modify in order to accomodate private key handling, although I can be missing some obvious 
ways of doing it.


If anyone has any suggestions as to how to proceed, please let me know.

Cheers,
Michal

More information about the Devel mailing list