[Pidgin] #6516: Change what Jabber checks for in the X.509 common name
Pidgin
trac at pidgin.im
Fri Aug 8 13:43:55 EDT 2008
#6516: Change what Jabber checks for in the X.509 common name
-----------------------+----------------------------------------------------
Reporter: wehlhard | Owner: deryni
Type: patch | Status: new
Priority: minor | Milestone: 2.5.0
Component: XMPP | Version: 2.4.3
Resolution: | Keywords:
Pending: 0 |
-----------------------+----------------------------------------------------
Comment (by deryni):
So in discussing this some in the devel@ muc room it was decided that it
is ok to check the connect server but that we should not be checking IP
addresses (whether specified by the connect server or the jid domain).
{{{
(12:33:36) stpeter: but back to 6516
(12:34:04) stpeter: ok
(12:34:23) stpeter: so *if* the user configures in a connect server then
it's ok to check that
(12:35:14) stpeter: however I agree that you would not check the connect
server (or the xmpp-domain either) if it's an IP address, because certs
are not issued for IP addresses
(12:36:46) mark.doliner: If the domain has an SRV record and no connect
server has been specified, should the certificate be checked using the
domain name or using the SRV name?
(12:37:52) stpeter: brb
(12:47:23) stpeter: mark.doliner: the domain of the user's JID, because
DNS can be poisoned
(12:47:38) stpeter: so you can't really trust the SRV records
(12:47:55) stpeter: at least according to the security mafia :)
(12:49:10) elb: well, aside from DNS's poisoning or not, it's not a
cryptographically secured relationship
(12:50:04) stpeter: elb: correct
}}}
So instead of the patch as it currently stands we need to check the
connect server both for existance and for being a hostname and use that if
it exists, otherwise just use the jid domain.
--
Ticket URL: <http://developer.pidgin.im/ticket/6516#comment:2>
Pidgin <http://pidgin.im>
Pidgin
More information about the Tracker
mailing list