[Adium-devl] Padlocks & Security

Andreas Monitzer soc at monitzer.com
Thu Oct 18 09:22:23 UTC 2007 

On Oct 18, 2007, at 05:00, Colin Barrett wrote:

> 19:38 < cbarrett> isn't it obvious from the checkboxs though that
> encryption is
>                    on?
> 19:39 < zac> well, does that 100% imply that the active connection is
> encrypted?
> 19:40 < cbarrett> I don't know the details of xmpp but it woudl seem
> to me that
>                    if you have "Use SSL" checked, it should use SSL
> always or
>                    fail to connect
> 19:40 < zac> well, you can "require ssl" but it can go either way if
> the server
>               does or doesn't spport it, i think

On XMPP, encryption is negotiated after the initial connection is  
made using the STARTTLS protocol. It is very well possible that the  
server does not support encryption and so the connection is made  
without it. This is the reason for the "Require SSL"-checkbox. When  
it's enabled, it drops the connection before authenticating when the  
server doesn't offer encryption.

On Oct 18, 2007, at 05:25, Colin Barrett wrote:

> On Oct 17, 2007, at 8:21 PM, Peter Hosey wrote:
>
>> What if we use the certificate icon instead to mean “SSL”?
>
> Not a bad idea. Could we get a UI hooked up to show information about
> the certificate if it was clicked (and maybe a rollover state as  
> well?)

That's a great idea, I like that. The required API for it is marked with
#if MAC_OS_X_VERSION_MAX_ALLOWED >= MAC_OS_X_VERSION_10_5
in my headers here, though. Maybe the Carbon menu stuff has something  
that does that in earlier version, since the Finder has something  
like that for the label color selection.

On Oct 18, 2007, at 07:19, Zachary West wrote:

> I gave it some thought. Perhaps we can do away with the icon, and  
> just put "(SSL)" at the end of the items that are connected via  
> encryption.

Technically, it's the more recent TLS on XMPP, not the old SSL. I  
think renaming SSL to TLS in later versions was the most confusing  
thing they could do...

On Oct 18, 2007, at 05:49, Evan Schoenberg wrote:

> Andy had some code in progress this past summer which would hook the
> OpenSSL plugin into the OS X cert validation stuff (Keychain.app and
> so forth), which would be even awesomer.

That's not quite correct. I implemented a separate plugin that uses  
the CDSA-API to implement encryption. This is the API Mac OS X itself  
provides, and thus the keychain hooks into.
The plugin is completed, however, it does have an annoying bug I just  
don't quite get: After some time, you can send messages, but not  
receive them. The strange thing is that I just copy/pasted Apple's  
example code into your OpenSSL-plugin, so there's not much room for  
such a bug.
Maybe if you could look into that and fix it, it'd be no issue any more.

andy

More information about the devel mailing list