Writing

Feed Software, technology, sysadmin war stories, and more.

Tuesday, May 22, 2012

Google Talk seems to federate XMPP in the clear

As long as I'm talking about TLS, I might as well mention another fun thing in that realm I just found this morning.

Do you use Google Talk? If so, do you talk to anyone who isn't on Google Talk (aka XMPP Federation)? How about the opposite - if you don't use Google Talk yourself (yay!), do you talk to anyone who does? Be aware that non-gmail.com accounts can be on there due to the magic of SRV records.

So here's the thing. If you have a server to server (s2s) connection involving Google Talk, odds are it is happening in the clear. I discovered this while flipping certs around this morning. A quick tcpdump of port 5269 showed that while my jabberd was setting up TLS with everyone else, anything hosted at Google was coming up as plaintext. I could see actual chat messages flying around.

Some quick poking around on my part revealed this is not a new situation. I've also found log extracts from other people which show non-TLS connections coming up with them going back several years.

It's pretty easy to see the difference in responses. First, try it to a gmail.com account. Connect to xmpp-server.l.google.com on port 5269 and send it this:

<?xml version='1.0'?><stream:stream xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:server' to='gmail.com' from='example.org' version='1.0' xmlns:db='jabber:server:dialback'>

The reply will be this:

<stream:stream id="---REMOVED---" xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:server" xmlns:db="jabber:server:dialback">

XML garbage aside, no big deal, right? So now let's compare to something else, like fastmail.fm, which despite its other stupidity, actually gets TLS over server-to-server links right.

In this case, it's a connection to chat.messagingengine.com on port 5269, sending this:

<?xml version='1.0'?><stream:stream xmlns:stream='http://etherx.jabber.org/streams' xmlns='jabber:server' to='fastmail.fm' from='example.org' version='1.0' xmlns:db='jabber:server:dialback'>

This time, check out the response. It's quite a bit different:

<stream:stream xmlns:stream="http://etherx.jabber.org/streams" xmlns="jabber:server" xmlns:db="jabber:server:dialback" to="example.org" from="fastmail.fm" version="1.0" id="---REMOVED---"><stream:features xmlns:stream="http://etherx.jabber.org/streams"><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/></stream:features>

Clearly, they are ready to roll and want to do TLS. Google? Not so much.