XMPP's xmlstream is not checking TLS certificate

[Jérôme Poisson]

words.protocols.jabber.xmlstream's TLSInitiatingInitializer is not checking TLS certificate, and has not option to do so. As a result, any certificate can be used without alert.

The ssl.CertificateOptions in TLSInitiatingInitializer.onProceed method should have an option (probably activated by default) to set trustRoot = ssl.platformTrust().

I set this as a defect and high priority because it's a security issue (TLS encryption is mandatory in XMPP since 2014).

github PR: ​https://github.com/twisted/twisted/pull/1084 ​https://github.com/twisted/twisted/pull/1147

[Wim Lewis]

(removing review keyword after leaving comment: ​https://github.com/twisted/twisted/pull/1084#issuecomment-439517473 ; re-add the keyword when it's ready for review again)

[Glyph]

Keywords are used for workflow.

[Jérôme Poisson]

Hello, just for the record I'm sorry for the long delay, I have been overwhelmed lastly and didn't update my PR yet, but I will.

[Glyph]

Hello, just for the record I'm sorry for the long delay, I have been overwhelmed lastly and didn't update my PR yet, but I will.

No need to apologize. We're all volunteers here :).

Ralph is probably going to take over the fix for this PR, but there are going to be a number of follow-up issues which we'd be delighted to have your help with :).

[ralphm]

Created a more comprehensive PR for this, including the ability to pass custom certificate options. ​https://github.com/twisted/twisted/pull/1147

Please review.

[Glyph]

Thanks, Ralph!

Reviewed & approved at ​https://github.com/twisted/twisted/pull/1147#pullrequestreview-242396041 .

[Ralph Meijer <ralphm@…>]

In cf8ed698:

Merge pull request #1147 from twisted/9561-xmpp-tls-verify-cert

#9561 Check remote certificates for XMPP TLS (CVE-2019-12855)

Author: ralphm
Reviewer: glyph, alex
Fixes: ticket:9561