https://github.com/stpeter/manifesto/blob/master/manifesto.txt calls for: o provide user or administrative interfaces showing: o if a given client-to-server or server-to-server connection is encrypted, authenticated, or both o the version of TLS and the cipher suite in use o details about a server's certificate o a warning about any changes to a server's certificate Gabble should provide enough information that Empathy can do this.
Straw-man design: Connection.Interface.Securable property Encrypted : b, readable If true, this connection is known to be encrypted to a reasonable level. The definition of "reasonable" is intentionally left vague. This can change from false to true, but if it would change from true to false, connection managers SHOULD disconnect instead. Change notification is via o.fd.DBus.Properties.PropertiesChanged. property Authenticated : b, readable True if this channel occurs over a connection that is protected against tampering, and has been verified to be with the desired destination: for instance, one where TLS was previously negotiated, and the TLS certificate has been verified against a configured certificate authority or accepted by the user. This can change from false to true, but if it would change from true to false, connection managers SHOULD disconnect instead. Change notification is via o.fd.DBus.Properties.PropertiesChanged. property CipherSuiteID : u, readable The numeric ID of the cipher suite from the IETF TLS Cipher Suite registry, in the form (first byte * 256) + second byte. For instance, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xC0, 0x09) is denoted by 49161 (0xC009). 0 (TLS_NULL_WITH_NULL_NULL) means the connection has no effective security. Connection managers MAY use this cipher suite ID to represent known-weak cipher suites not described in the TLS Cipher Suite registry. The maximum 32-bit unsigned integer (4294967295) means the connection manager cannot represent the cipher suite in terms of the TLS Cipher Suite registry. Change notification is via o.fd.DBus.Properties.PropertiesChanged. enum { Not_TLS = 0, SSL_2 = 2*256, SSL_3 = 3*256, TLS_1_1 = 3*256 + 1, TLS_1_1 = 3*256 + 2, TLS_1_2 = 3*256 + 3, } TLS_Version; property TLSVersion : u (TLS_Version), readable The SSL/TLS version in use, in the form (major byte * 256) + minor byte, or 0 if the connection is not using SSL/TLS. For instance, TLS 1.1 is 3*256 + 2 due to its use of { 3, 2 } as the ProtocolVersion. Change notification is via o.fd.DBus.Properties.PropertiesChanged. property CertificateType : s The type of the certificate used to authenticate the server, e.g. "x509" or "pgp", as for TLSCertificate, or the empty string if a certificate was not used. Change notification is via o.fd.DBus.Properties.PropertiesChanged. property CertificateChainData : aay (Certificate_Data[]) The certificate chain, as for TLSCertificate. Change notification is via o.fd.DBus.Properties.PropertiesChanged. Actually implementing this in Gabble will require some contortions: GNUTLS doesn't tell us the cipher suite, only separate values for the key exchange, cipher and MAC. We could maybe replace CipherSuiteID with separate properties, but I'm really keen to outsource this to something like the IETF TLS registry rather than maintaining enums in Telepathy. If we port Wocky to GTLS (which we should really), we lose the ability to get this information at all, unless we enhance GTLS...
-- GitLab Migration Automatic Message -- This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity. You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/telepathy/telepathy-gabble/issues/268.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.