[Pidgin] #4570: The XMPP plugin uses the hostname given by the SRV record to perform certificate validation
Pidgin
trac at pidgin.im
Sat Jan 5 11:22:28 EST 2008
#4570: The XMPP plugin uses the hostname given by the SRV record to perform
certificate validation
----------------------+-----------------------------------------------------
Reporter: steffen | Owner: nwalp
Type: defect | Status: new
Priority: minor | Milestone:
Component: XMPP | Version: 2.3.1
Resolution: | Keywords:
Pending: 1 |
----------------------+-----------------------------------------------------
Changes (by steffen):
* pending: 1 => 0
Comment:
Replying to [comment:1 rlaager]:
> If an attacker controls the DNS of that domain, I think you've lost.
I don't think so. (That's what the certificates are for, isn't it?)
Anyway, using the names from the SRV RRs causes trouble (for self-signed
certificates you'll have to accept the certificate multiple times when you
have more than one SRV RR) and RFC 3920 says otherwise: (RFC 3920 5.1.)
{{{
8. Certificates MUST be checked against the hostname as provided by
the initiating entity (e.g., a user), not the hostname as
resolved via the Domain Name System; e.g., if the user specifies
a hostname of "example.com" but a DNS SRV [SRV] lookup returned
"im.example.com", the certificate MUST be checked as
"example.com". If a JID for any kind of XMPP entity (e.g.,
client or server) is represented in a certificate, it MUST be
represented as a UTF8String within an otherName entity inside the
subjectAltName, using the [ASN.1] Object Identifier
"id-on-xmppAddr" specified in Section 5.1.1 of this document.
}}}
--
Ticket URL: <http://developer.pidgin.im/ticket/4570#comment:2>
Pidgin <http://pidgin.im>
Pidgin
More information about the Tracker
mailing list