[Pidgin] #4570: The XMPP plugin uses the hostname given by the SRV record to perform certificate validation

Pidgin trac at pidgin.im
Sat Jan 5 11:22:28 EST 2008


#4570: The XMPP plugin uses the hostname given by the SRV record to perform
certificate validation
----------------------+-----------------------------------------------------
  Reporter:  steffen  |       Owner:  nwalp
      Type:  defect   |      Status:  new  
  Priority:  minor    |   Milestone:       
 Component:  XMPP     |     Version:  2.3.1
Resolution:           |    Keywords:       
   Pending:  1        |  
----------------------+-----------------------------------------------------
Changes (by steffen):

  * pending:  1 => 0

Comment:

 Replying to [comment:1 rlaager]:
 > If an attacker controls the DNS of that domain, I think you've lost.
 I don't think so. (That's what the certificates are for, isn't it?)

 Anyway, using the names from the SRV RRs causes trouble (for self-signed
 certificates you'll have to accept the certificate multiple times when you
 have more than one SRV RR) and RFC 3920 says otherwise: (RFC 3920 5.1.)

 {{{
    8.  Certificates MUST be checked against the hostname as provided by
        the initiating entity (e.g., a user), not the hostname as
        resolved via the Domain Name System; e.g., if the user specifies
        a hostname of "example.com" but a DNS SRV [SRV] lookup returned
        "im.example.com", the certificate MUST be checked as
        "example.com".  If a JID for any kind of XMPP entity (e.g.,
        client or server) is represented in a certificate, it MUST be
        represented as a UTF8String within an otherName entity inside the
        subjectAltName, using the [ASN.1] Object Identifier
        "id-on-xmppAddr" specified in Section 5.1.1 of this document.
 }}}

-- 
Ticket URL: <http://developer.pidgin.im/ticket/4570#comment:2>
Pidgin <http://pidgin.im>
Pidgin


More information about the Tracker mailing list