It's been some weeks since I've been able to use Kontalk XMPP from my notebook, using a custom Python script to remedy for the lack of client certificate authentication in Pidgin. The code was very ugly (it still is) and had hard-coded values.
So I decided to fix it a bit and release it in the public domain. You can find the script in the
xmppserver repository (download link). You'll need Twisted to run it.
user@host:~/kontalk/xmppserver/test$ ./ssl_bridge.py -h
usage: ssl_bridge.py [-h] [-d] [-p PORT] --domain DOMAIN -c CERTIFICATE -k
An XMPP bridge for clients not supporting SSL client certificate
address forward connections to this host (host:port)
-h, --help show this help message and exit
-d, --debug enable debug output
-p PORT, --port PORT listen for local connections on this port (default:
--domain DOMAIN use this domain for stream initialization
-c CERTIFICATE, --certificate CERTIFICATE
X.509 certificate file
-k PRIVATEKEY, --privatekey PRIVATEKEY
X.509 private key file
ssl_bridge.py is basically a tunnel that masks the STARTTLS process by doing its own SSL handshake using a provided client certificate and private key.
The first thing you have to do is to export the client certificate and private key from your device. Of course you have to register to Kontalk first if you haven't done it yet. Open Kontalk, press menu > Settings > Export personal key. This will create four files on your SD card:
Transfer the two highlighted files to your computer. Then you'll need to convert them to an appropriate format using the following commands:
openssl x509 -inform der -outform pem -in kontalk-login.crt -out kontalk-login.pem
openssl rsa -inform der -outform pem -in kontalk-login.key -out kontalk-login.rsa
Your certificate and private key are ready for use!
Start the SSL bridge script:
./ssl_bridge.py -p 5224 --domain kontalk.net -c kontalk-login.pem -k kontalk-login.rsa beta.kontalk.net:5222
This will start to listen on port 5224 which will be forwarded to beta.kontalk.net:5222 after STARTTLS have been negotiated.
Now it's time to configure your favourite XMPP client. We will take Pidgin as an example but the configuration is pretty much the same.
Create a new XMPP account using these parameters:
- username: dummy (doesn't matter actually)
- domain: kontalk.net
- password: dummy (doesn't matter)
- check Remember password
- connection security: Use encryption if available
- check Allow plaintext auth over unencrypted streams
- connect port: 5224
- connect server: localhost
And there you go!!! Connect your account and you will see buddies with strange codes. Those are your buddies hashed phone numbers. You'll have to recognize each one by talking to them, sorry. You can then rename your buddies accordingly, Pidgin will keep track of the names.
Please note that encrypted messages are not supported by Pidgin and you'll have to tell your buddies to disable encryption when they talk to you (you won't receive anything otherwise).
Also delivery confirmations are not supported, so your buddy will not see his/her messages confirmed. The only way to confirm them is to open Kontalk from Android. You will receive all the unconfirmed messages again and the app will confirm them.
The SSL bridge script is still not perfect, if you have any problem please report them to the Kontalk issue tracker.