TLS support

[abma]

the current development version of springlobby supports to connect to the lobby server via tls.

would be nice if some people could test it before i release it! :)

To test in springlobby: server->disconnect, server->connect, select TLS... done

requires at least this commit: https://github.com/springlobby/springlo ... 83ab0ffe7d

screenshot.png (24.2 KiB) Viewed 15219 times

Implementation details
For the connection openssl is used and only the certificate fingerprint is checked. Thats basicly the same es certificate-pinning.
This check is hardcoded atm, this should be changed soon.

The win32 development build has already tls-support, too.

when tls is used in springlobby.log (currently) this shows up:

Message /home/abma/dev/SpringLobby/src/socket.cpp:282 Certificate fingerprint: 0124dc0f4295b401a2d81ade3dc81b7a467eb9a70b0a4912b5e15fede735fe73
Message /home/abma/dev/SpringLobby/src/socket.cpp:286 Using TLSv1.2
Message /home/abma/dev/SpringLobby/src/socket.cpp:289 Using cipher ECDHE-RSA-AES256-GCM-SHA384

for details see https://github.com/springlobby/springlo ... socket.cpp


STARTTLS example client
This simple client written in python initates the tls connection (but does nothing else):

https://github.com/spring/uberserver/bl ... sclient.py

Note: this is my first tls-server (=uberserver) and client (=SpringLobby), so hopefully i didn't introduce some horrible security hole like others did. Hints are welcome!

[dansan]

I compiled and started 0.256-32-g07b01a4d6

I found this in the logfile:

Code: Select all

Message  /home/dtroeder/git/springlobby/src/tasserver.cpp:1010 sent: #1 STARTTLS
Message  /home/dtroeder/git/springlobby/src/socket.cpp:233 Starting TLS...
Message  /home/dtroeder/git/springlobby/src/socket.cpp:282 Certificate fingerprint: 0124dc0f4295b401a2d81ade3dc81b7a467eb9a70b0a4912b5e15fede735fe73
Message  /home/dtroeder/git/springlobby/src/socket.cpp:285 Using TLSv1.2
Message  /home/dtroeder/git/springlobby/src/socket.cpp:288 Using cipher ECDHE-RSA-AES256-GCM-SHA384
Message  /home/dtroeder/git/springlobby/src/tasserver.cpp:995 sent: LOGIN ... <password removed>

I am irritated though: There was chat stuff ("#3 JOIN ..." etc) before the TLS connect.

[abma]

full springlobby.log then please.

StartTLS is sent before login happens. Without beeing logged in JOIN etc. doesn't work. Very likely you disconnected and reconnected.

[dansan]

Very likely you disconnected and reconnected.

Absolutely correct
First connected with old settings, disconnected to get the login dialog, enabled TLS and connected again.
Just tried it out with TLS already enabled and removed the old logfile, and nothing was sent before StartTLS :)

[abma]

weird, tls should be enabled by default after the update. thats a bug then maybe...