[Pidgin] #7367: "Old SSL" for XMPP doesn't work
Pidgin
trac at pidgin.im
Wed Aug 26 02:46:48 EDT 2009
#7367: "Old SSL" for XMPP doesn't work
--------------------+-------------------------------------------------------
Reporter: Lam | Owner: deryni
Type: defect | Status: new
Milestone: 2.6.2 | Component: XMPP
Version: 2.5.2 | Resolution:
Keywords: |
--------------------+-------------------------------------------------------
Comment(by darkrain42):
Replying to [comment:9 deryni]:
> Yeah, I'm not sure what I was thinking about exactly. So I think we can
ignore it. =)
>
> I'm not sure we can correctly handle this case at all though. If we fail
a connection when we are already encrypted and see
<starttls><required/></starttls> we will permanently break connections to
any broken servers which offer starttls over an encrypted connection
That's broken as-is, right? This would be no worse (and could offer a
decent error message as to why the connection isn't ever going to work).
> and we can never be certain if the connection to the actual server is
encrypted (as opposed to a local proxy of some sort) so we can't safely
ignore starttls (required or not).
This should still present a certificate mismatch warning, unless the
enterprise proxying the connection also installs their own CA and adds it
to our trust store and signs a cert for, e.g., gmail.com (That's
particularly evil). There's no way to know that's ever ''not'' the case,
though. The best we can tell is that Pidgin thinks the connection is
encrypted and the server strangely doesn't. Perhaps we should throw up a
warning prompt about a possible MITM?
If we can't pay attention to starttls and fail the connection and we can't
safely ignore starttls, what are you suggesting we do? :-)
--
Ticket URL: <http://developer.pidgin.im/ticket/7367#comment:10>
Pidgin <http://pidgin.im>
Pidgin
More information about the Tracker
mailing list