server: check permissions on TLS key and certificate at early state

Question

server: check permissions on TLS key and certificate at early state

Closed this issue 6 years ago · 1 comments

When the server starts up and wrong permissions do not allow Jackal to access certificate and key, this happens:

2018-05-08 13:08:04 ℹ️ [INF] main:99 - jackal 0.2.0

2018-05-08 13:08:04 ℹ️ [INF] server:92 - default: listening at 0.0.0.0:5222 [transport: socket]
2018-05-08 13:08:13 ℹ️ [INF] c2s:141 - registered stream... (id: default:1)
2018-05-08 13:08:13 🔍 [DBG] c2s_stream:889 - RECV: <stream:stream to="localhost" version="1.0" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams"/>
2018-05-08 13:08:13 🔍 [DBG] c2s_stream:937 - SEND: <?xml version="1.0"?><stream:stream xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" id="0cd01d9e-f756-4f05-9231-2b576113db77" from="jackal.local" version="1.0">
2018-05-08 13:08:13 🔍 [DBG] c2s_stream:883 - SEND: <stream:error><host-unknown xmlns="urn:ietf:params:xml:ns:xmpp-streams"/></stream:error>
2018-05-08 13:08:13 ℹ️ [INF] c2s:171 - unregistered stream... (id: default:1)
2018-05-08 13:08:20 ℹ️ [INF] c2s:141 - registered stream... (id: default:2)
2018-05-08 13:08:20 🔍 [DBG] c2s_stream:889 - RECV: <stream:stream to="jackal.local" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" version="1.0"/>
2018-05-08 13:08:20 🔍 [DBG] c2s_stream:937 - SEND: <?xml version="1.0"?><stream:stream xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" id="540748f0-628e-486e-8999-1aa8844c4eab" from="jackal.local" version="1.0">
2018-05-08 13:08:20 🔍 [DBG] c2s_stream:883 - SEND: <stream:features xmlns:stream="http://etherx.jabber.org/streams" version="1.0"><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"><required/></starttls></stream:features>
2018-05-08 13:08:20 🔍 [DBG] c2s_stream:889 - RECV: <starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
2018-05-08 13:08:20 💥 [ERR] c2s_stream:516 - open /etc/jackal/jackal.local.key: permission denied
2018-05-08 13:08:20 🔍 [DBG] c2s_stream:883 - SEND: <failure xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>

Maybe it's better to check permissions and validity of the certificates in a more early state, so Jackal can fail and return a error code immediately after startup. This would be more admin friendly ;-)

Answer 1 · 2018-05-22T07:38:48.000Z

Implemented on 0.3