This version (2017/05/27 13:44) is a draft.
Approvals: 0/1

[08:43:49] * ChanServ sets mode: +o temporalfox [10:50:56] <whitenexx> Hi together [10:51:23] <whitenexx> Maybe someone could help me or knows how to do it the correct way? https://groups.google.com/forum/#!topic/vertx/QA5GDBNUo18 [11:01:33] * ChanServ sets mode: +o temporalfox

[15:33:32] *** ChanServ sets mode: +o temporalfox

[22:33:20] <AlexLehm> temporalfox: hi julien, I am moving the tls test to the NetTest class and I think a test that should test the same condition is already present, not sure why this was not failing

[22:38:50] <temporalfox> hi AlexLehm

[22:39:50] <AlexLehm> Hi

[22:42:31] <temporalfox> so you will correct it soon ?

[22:45:36] <AlexLehm> yes

[22:45:54] <AlexLehm> this test does not make sense NetTest#testHostVerificationHttpsMatching

[22:46:23] <AlexLehm> it sets hostname checking HTTPS, but also trustAll, so it turns off hostname checking

[22:46:43] <temporalfox> who wrote it ?

[22:46:54] <AlexLehm> unless it is expected that trustAll should trust all certs but still check the hostname

[22:47:22] <AlexLehm> probably who implemented the setHostnameVerificationAlgorithm patch, have to check

[22:48:07] <AlexLehm> checking the blame

[22:48:19] <AlexLehm> dan-lind

[22:48:53] <temporalfox> ah

[22:49:04] <temporalfox> he has done that because he wanted this algorithm for NetTest

[22:49:12] <temporalfox> ah ok

[22:49:18] <temporalfox> it should be corrcted

[22:49:38] <temporalfox> but trustAll is about certificates

[22:50:01] <temporalfox> you could trust a certificate but refuse it because the hostname does not match the certificate dn

[22:50:18] <temporalfox> (which is weird)

[22:50:37] <temporalfox> the test above does that testHostVerificationHttpsNotMatching

[22:50:49] <AlexLehm> that test is correct

[22:50:52] <temporalfox> same settings but it does not match

[22:51:26] <temporalfox> probably we should have the same test but without self-signed certs

[22:51:43] <AlexLehm> yes, that is the test I implemented I thnk

[22:52:39] <AlexLehm> actually this function is very important for security, if you do not set HostnameVerificationAlgorithm(“HTTPS”), the connection can be man-in-the-middle'd by supplying a valid cert for another host

[22:53:02] <AlexLehm> I tried that by creating a cert for my domain with letsencrypt and I could attack my mail connection to google

[22:53:22] <temporalfox> but for that you need to hack DNS ?

[22:53:45] <AlexLehm> well, i did it by changing the hosts entry on my local machine, that is not really a full attack

[22:54:10] <AlexLehm> it would either be posssible to do dns spoofing or it might be possible to do wlan spoofing of some kind i think

[22:54:27] <AlexLehm> e.g. the attack with a WLAN router in a coffee shop

[22:54:27] <temporalfox> ok

[22:54:36] <AlexLehm> (or hotel wlan)

[22:54:38] <temporalfox> I don't know how it is done

[22:54:46] <temporalfox> how does it work ?

[22:54:49] <AlexLehm> the cafe-attack is quite funny actually

[22:55:59] <AlexLehm> there is a device called the banana-router that has two wlan cards and you put your own public wlan on one antenna and the other one connects either to the wlan of the cafe or you use a mobile hotspot on your mobile data connection

[22:56:39] <AlexLehm> when somebody in the cafe accidentall connections to your connection, it can do some kind of mitm attacks and provide the real internet via the 2nd wlan

[22:57:03] <AlexLehm> have never actually tried if that works, but a friend of mind has bought the device and has told me about it

[22:57:34] <AlexLehm> pineapple router actually https://www.wifipineapple.com/

[22:57:58] <AlexLehm> dns spoofing is possible and also arp poisoning might be a possibility

[22:58:27] <temporalfox> I think you need to hack ARP for doing something like dns spoofing

[23:00:05] <AlexLehm> not quite sure how dns spoofing works, I assume you have to fake answer packets and reach the client before the proper answer comes

[23:00:30] <AlexLehm> if you do arp spoofing, I don't think you need dns spoofing, you can just redirect the local connection

[23:02:26] <AlexLehm> also, your it department might decide to spoof you on the firewall :-)

[23:03:00] <AlexLehm> In theory

[23:03:21] <AlexLehm> or I could try to look at the mails my girlfriend sends out

[23:03:46] <temporalfox> AlexLehm yes

[23:04:04] <temporalfox> as I worked a bit on DnsNameResolver in etty

[23:04:13] <temporalfox> you just need to send a packet before

[23:04:23] <temporalfox> usually an hostname resolver send mulitple queries

[23:04:30] <temporalfox> and take the first response

[23:04:37] <temporalfox> at least it's now how it works i nvertx

[23:04:42] <temporalfox> it makes 3 queries

[23:04:48] <temporalfox> (configurable)

[23:05:27] <AlexLehm> when i am at home, I could reconfigure the cable modem to use just a different dns that returns my addresses

[23:06:17] <AlexLehm> my “choice” of addresses I should say

[23:09:00] <AlexLehm> should I use the TLSCert.JKS_ROOT_CA() values or should keep the path names for the certs?

[23:17:33] <AlexLehm> temporalfox: i have pushed the changed test, let me just check the jenkins

[23:21:18] <temporalfox> ok

[23:21:43] <temporalfox> you should use TLSCert when you can

[23:42:42] <AlexLehm> temporalfox: ok, i changed the TLSCert and ran the ci build once more

[23:42:56] <AlexLehm> could you please take a look at the pr again?

[23:43:05] <temporalfox> yes

[23:43:08] <temporalfox> will do soon

[23:43:58] <temporalfox> can you replace

[23:43:58] <temporalfox> new JksOptions().setPath(“tls/server-keystore-root-ca.jks”)

[23:44:01] <temporalfox> with the enum ?

[23:44:07] <AlexLehm> i just did

[23:44:23] <AlexLehm> i think

[23:46:20] <temporalfox> ok

[23:46:26] <temporalfox> I must have looked at the wronh push