[zeromq-dev] ZMTP security
Pieter Hintjens
ph at imatix.com
Fri Sep 19 19:14:49 CEST 2014
Matthew,
For the benefit of others I'm posting the MIM Python program you sent me.
This seems to (I am too stupid to install pyzmq, so can't run it)
prove the downgrade attack; it forces both client and server to NULL
and then captures the traffic.
-Pieter
On Fri, Sep 19, 2014 at 9:36 AM, Pieter Hintjens <ph at imatix.com> wrote:
> So you can downgrade the client by ignoring the mechanism it sends,
> and accepting the connection without any further verification? That is
> worth fixing, yes.
>
> Could you perhaps add that test case to the libzmq test cases?
>
> I don't think you can downgrade the server to null however, can you?
>
>
>
> On Fri, Sep 19, 2014 at 12:55 AM, Matthew Hawn
> <matthewh at donaanacounty.org> wrote:
>> I was thinking more of a malicious man-in-the-middle. I have a test case available that downgrades curve to null.
>> ________________________________________
>> From: zeromq-dev-bounces at lists.zeromq.org [zeromq-dev-bounces at lists.zeromq.org] on behalf of Pieter Hintjens [ph at imatix.com]
>> Sent: Wednesday, September 17, 2014 11:33 PM
>> To: ZeroMQ development list
>> Subject: Re: [zeromq-dev] ZMTP security
>>
>> I just added a test case to test_security_curve where the client tries
>> to connect to a server socket configured with CURVE, while using a
>> NULL mechanism. This is what libzmq logs:
>>
>> NULL I: client sent invalid NULL handshake (not READY)
>>
>> And it does reject the connection. So that seems to work properly.
>> Same thing when I try to use a PLAIN user/password.
>>
>> -Pieter
>>
>> On Wed, Sep 17, 2014 at 11:52 PM, Matthew Hawn
>> <matthewh at donaanacounty.org> wrote:
>>> I think I might have found a problem with negotiation of the security mechanism. In the current source, zmq::stream_engine_t::handshake sets up the security mechanism based on the greeting received from the peer, but does not seem to validate that against what was sent to the peer or specified in the socket options. Am I missing something?
>>>
>>> Matt
>>>
>>>
>>> _______________________________________________
>>> zeromq-dev mailing list
>>> zeromq-dev at lists.zeromq.org
>>> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
>> _______________________________________________
>> zeromq-dev mailing list
>> zeromq-dev at lists.zeromq.org
>> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
>>
>> _______________________________________________
>> zeromq-dev mailing list
>> zeromq-dev at lists.zeromq.org
>> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
-------------- next part --------------
A non-text attachment was scrubbed...
Name: mitm_test.py
Type: text/x-python
Size: 4566 bytes
Desc: not available
URL: <https://lists.zeromq.org/pipermail/zeromq-dev/attachments/20140919/99496df2/attachment.py>
More information about the zeromq-dev
mailing list