How to use Kontalk 3.0 with a desktop XMPP client

Published: 2014-02-26 18:41:50 by Daniele Ricci

WARNING this post is outdated. Please refer to this page.

It's been some weeks since I've been able to use Kontalk XMPP from my notebook, using a custom Python script to remedy for the lack of client certificate authentication in Pidgin. The code was very ugly (it still is) and had hard-coded values.
So I decided to fix it a bit and release it in the public domain. You can find the script in the xmppserver repository (download link). You'll need Twisted to run it.

user@host:~/kontalk/xmppserver/test$ ./ -h
usage: [-h] [-d] [-p PORT] --domain DOMAIN -c CERTIFICATE -k

An XMPP bridge for clients not supporting SSL client certificate

positional arguments:
  address               forward connections to this host (host:port)

optional arguments:
  -h, --help            show this help message and exit
  -d, --debug           enable debug output
  -p PORT, --port PORT  listen for local connections on this port (default:
  --domain DOMAIN       use this domain for stream initialization
                        X.509 certificate file
  -k PRIVATEKEY, --privatekey PRIVATEKEY
                        X.509 private key file is basically a tunnel that masks the STARTTLS process by doing its own SSL handshake using a provided client certificate and private key.

The first thing you have to do is to export the client certificate and private key from your device. Of course you have to register to Kontalk first if you haven't done it yet. Open Kontalk, press menu > Settings > Export personal key. This will create four files on your SD card:

  • kontalk-login.crt
  • kontalk-login.key
  • kontalk-private.pgp
  • kontalk-public.pgp

Transfer the two highlighted files to your computer. Then you'll need to convert them to an appropriate format using the following commands:

openssl x509 -inform der -outform pem -in kontalk-login.crt -out kontalk-login.pem
openssl rsa -inform der -outform pem -in kontalk-login.key -out kontalk-login.rsa

Your certificate and private key are ready for use!

Start the SSL bridge script:

./ -p 5224 --domain -c kontalk-login.pem -k kontalk-login.rsa

This will start to listen on port 5224 which will be forwarded to after STARTTLS have been negotiated.

Now it's time to configure your favourite XMPP client. We will take Pidgin as an example but the configuration is pretty much the same.
Create a new XMPP account using these parameters:

  • username: dummy (doesn't matter actually)
  • domain:
  • password: dummy (doesn't matter)
  • check Remember password
  • connection security: Use encryption if available
  • check Allow plaintext auth over unencrypted streams
  • connect port: 5224
  • connect server: localhost

And there you go!!! Connect your account and you will see buddies with strange codes. Those are your buddies hashed phone numbers. You'll have to recognize each one by talking to them, sorry. You can then rename your buddies accordingly, Pidgin will keep track of the names.

Please note that encrypted messages are not supported by Pidgin and you'll have to tell your buddies to disable encryption when they talk to you (you won't receive anything otherwise).
Also delivery confirmations are not supported, so your buddy will not see his/her messages confirmed. The only way to confirm them is to open Kontalk from Android. You will receive all the unconfirmed messages again and the app will confirm them.

The SSL bridge script is still not perfect, if you have any problem please report them to the Kontalk issue tracker.

Share this post