TLSv1 SSL handshake doesn't work with gtalk

[sjoerd]

When connecting to gtalk using starttls and doing a TLSv1 SSL handshake, the gtalk server will stop responding and drop your connection :(

Using the SSLv23 method instead works fine, both for gtalk and various other jabber servers.

[ralphm]

XMPP Core (RFC 3920) uses TLS for securing the transport, and only references SSL once to refer to older methods that did not use STARTTLS. Therefore, I believe this bug is at Google Talk but I will verify this within the Jabber community.

That said, if I am not mistaking, SSLv2 has several nasty vulnerabilities, so we don't want to use that. It seems that SSLv3_METHOD also works with Google Talk. However, I don't think TLS is used in this case, which would be a bad default.

That leaves your suggestion of using SSLv23_METHOD. The client would send SSLv2 hello messages, and advertise supporting SSLv2, SSLv3 and TLSv1. Those can then be limited to only TLSv1 by using set_options on the context (OP_NO_SSLv2, OP_NO_SSLv3). However, that doesn't seem to work with Google Talk. Disabling TLSv1 support and leaving SSLv3 support on, does work. That would suggest that Google Talk only supports SSLv3, and only if TLS is disabled, or none are disabled. Yuck. I'll look further into this.

[ralphm]

Oh, by the way, this is the first time I noticed this. It has worked before, I'm quite sure.

[exarkun]

Other people have mentioned this problem before, but I've also been able to successfully connect to gtalk previously.

[sjoerd]

Some other people here that hit this issue noticed that old-style ssl works fine. But the <starttls /> method doesn't

[ralphm]

As mentioned on the Twisted Jabber mailinglist, the problem appears to be not in Google Talk per se. Apparently Java does not handle the empty Session Ticket extension in the hello, that signals support for the extension, correctly.

A workaround is to disable this extension by setting the OP_NO_TICKET option on the SSL context. I've verified that this allows the Twisted based clients to connect again. I attached a patch for a quick fix, but we need to do this better. First of all, my PyOpenSSL doesn't expose the option value (0x4000) with a module attribute, so I had to hard code it.

exarkun: do you have a suggestion how to do this properly within Twisted?

[ralphm]

Patch to disable the Session Ticket extension

[WizKid]

I first reported the bug to Sun the 22 July.

When Sun make the bug public, info about it will be here: http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6728126 . But when that happen I have no idea. First Sun thought that there could be some security problem with the bug but when they understood that it couldn't they made it public for a short time but then they removed it again.

[ralphm]

(In [25410]) Branching to 'jabber-tls-handshake-3463'

[ralphm]

This change disables the Session Tickets extension by default, which makes connections to Google Talk and other buggy implementations work again.

Please review.

[exarkun]

1. Please open a ticket in the pyOpenSSL tracker for exposing OP_NO_TICKET
2. How can I test this? I tried doc/words/examples/xmpp_client.py but it apparently managed to start TLS with and without the changes in this branch. I suppose the OpenSSL version is important here. Do you know which version introduces the problem? I have 0.9.8g-4ubuntu3.

[ralphm]

Replying to exarkun:

1. Please open a ticket in the pyOpenSSL tracker for exposing OP_NO_TICKET

https://bugs.launchpad.net/pyopenssl/+bug/300220 Done].

2. How can I test this? I tried doc/words/examples/xmpp_client.py but it apparently managed to start TLS with and without the changes in this branch. I suppose the OpenSSL version is important here. Do you know which version introduces the problem? I have 0.9.8g-4ubuntu3.

The addition of Session Tickets has been introduced in one of the versions that ship with Ubuntu Intrepid (8.10). This is somewhere after the version you mentioned, which is for Hardy (8.4). I haven't been able to track down exactly which version, though. Looking at the upstream changelog, this functionality should only appear in version 0.9.9, but Ubuntu has applied a large patch against 0.9.8g for its packages.

Although the Twisted 8.2 milestone has been deleted (why not just closed?), it would be very nice if this could ship in that release.

[exarkun]

Great. Please merge.

Talk to radix about how to get this into 8.2.

[ralphm]

(In [25471]) Add an option to select if TLS Session Ticket extension is used.

Author: ralphm. Reviewer: exarkun. Fixes #3463.

The option is off by default to work around faulty server implementations that become unresponsive when sending an empty TLS Session Ticket extension in the TLS hello. This should solve connection issues with Google Talk, if using an OpenSSL implementation that enables session tickets by default.