[zeromq-dev] ZMTP security
Matthew Hawn
matthewh at donaanacounty.org
Fri Sep 19 00:55:21 CEST 2014
I was thinking more of a malicious man-in-the-middle. I have a test case available that downgrades curve to null.
________________________________________
From: zeromq-dev-bounces at lists.zeromq.org [zeromq-dev-bounces at lists.zeromq.org] on behalf of Pieter Hintjens [ph at imatix.com]
Sent: Wednesday, September 17, 2014 11:33 PM
To: ZeroMQ development list
Subject: Re: [zeromq-dev] ZMTP security
I just added a test case to test_security_curve where the client tries
to connect to a server socket configured with CURVE, while using a
NULL mechanism. This is what libzmq logs:
NULL I: client sent invalid NULL handshake (not READY)
And it does reject the connection. So that seems to work properly.
Same thing when I try to use a PLAIN user/password.
-Pieter
On Wed, Sep 17, 2014 at 11:52 PM, Matthew Hawn
<matthewh at donaanacounty.org> wrote:
> I think I might have found a problem with negotiation of the security mechanism. In the current source, zmq::stream_engine_t::handshake sets up the security mechanism based on the greeting received from the peer, but does not seem to validate that against what was sent to the peer or specified in the socket options. Am I missing something?
>
> Matt
>
>
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
_______________________________________________
zeromq-dev mailing list
zeromq-dev at lists.zeromq.org
http://lists.zeromq.org/mailman/listinfo/zeromq-dev
More information about the zeromq-dev
mailing list