[Pidgin] #6516: Change what Jabber checks for in the X.509 common name

Pidgin trac at pidgin.im
Mon Aug 18 14:51:22 EDT 2008


#6516: Change what Jabber checks for in the X.509 common name
----------------------+-----------------------------------------------------
 Reporter:  wehlhard  |        Owner:  deryni
     Type:  patch     |       Status:  new   
Milestone:  2.5.0     |    Component:  XMPP  
  Version:  2.4.3     |   Resolution:        
 Keywords:            |  
----------------------+-----------------------------------------------------

Comment(by deryni):

 As I said I don't think the RFC indicates any method by which the user
 need provide the hostname only that the hostname provided by the user MUST
 be used and not the hostname retrieved via DNS SRV lookup. In that spirit
 my best reasoning about this (and stpeter's as well, as indicated by the
 chatroom log I posted) is that the connect server should most certainly be
 treated as a 'hostname as provided by the initiating entity' and not as
 one 'resolved via the Domain Name System' and as such should be checked.

 Also as I indicated the code needs to be changed to only check the connect
 server when the connect server is a hostname and not an IP (the common
 case in all situations I've seen) so that this doesn't break things for
 people.

 Yes, it would be nice to support fallback validation for the domain name
 if the connect server hostname matching fails (though I'm unsure about the
 technical correctness of such a mechanism). So to restate, the patch needs
 to be rewritten to use purple_ip_address_is_valid on the connect server as
 well as just testing it for existance before using it. Further work to
 support the fallback list is also welcome. Assuming I finally manage to
 get some time in the near future I will work on this myself should no one
 get to this before me.

 I don't believe we use the SRV record to check the certificate at the
 moment, if we do I don't see how your patch fixes that either. Can you
 show me where you think we do that?

-- 
Ticket URL: <http://developer.pidgin.im/ticket/6516#comment:4>
Pidgin <http://pidgin.im>
Pidgin


More information about the Tracker mailing list