[zeromq-dev] ZMTP security

Pieter Hintjens ph at imatix.com
Fri Sep 19 09:36:38 CEST 2014


So you can downgrade the client by ignoring the mechanism it sends,
and accepting the connection without any further verification? That is
worth fixing, yes.

Could you perhaps add that test case to the libzmq test cases?

I don't think you can downgrade the server to null however, can you?



On Fri, Sep 19, 2014 at 12:55 AM, Matthew Hawn
<matthewh at donaanacounty.org> wrote:
> I was thinking more of a malicious man-in-the-middle.  I have a test case available that downgrades curve to null.
> ________________________________________
> From: zeromq-dev-bounces at lists.zeromq.org [zeromq-dev-bounces at lists.zeromq.org] on behalf of Pieter Hintjens [ph at imatix.com]
> Sent: Wednesday, September 17, 2014 11:33 PM
> To: ZeroMQ development list
> Subject: Re: [zeromq-dev] ZMTP security
>
> I just added a test case to test_security_curve where the client tries
> to connect to a server socket configured with CURVE, while using a
> NULL mechanism. This is what libzmq logs:
>
>     NULL I: client sent invalid NULL handshake (not READY)
>
> And it does reject the connection. So that seems to work properly.
> Same thing when I try to use a PLAIN user/password.
>
> -Pieter
>
> On Wed, Sep 17, 2014 at 11:52 PM, Matthew Hawn
> <matthewh at donaanacounty.org> wrote:
>> I think I might have found a problem with negotiation of the security mechanism. In the current source,   zmq::stream_engine_t::handshake sets up the security mechanism based on the greeting received from the peer, but does not seem to validate that against what was sent to the peer or specified in the socket options.  Am I missing something?
>>
>> Matt
>>
>>
>> _______________________________________________
>> zeromq-dev mailing list
>> zeromq-dev at lists.zeromq.org
>> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
>
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> http://lists.zeromq.org/mailman/listinfo/zeromq-dev



More information about the zeromq-dev mailing list