[Pidgin] #7367: "Old SSL" for XMPP doesn't work

Pidgin trac at pidgin.im
Wed Aug 26 02:46:48 EDT 2009


#7367: "Old SSL" for XMPP doesn't work
--------------------+-------------------------------------------------------
 Reporter:  Lam     |        Owner:  deryni
     Type:  defect  |       Status:  new   
Milestone:  2.6.2   |    Component:  XMPP  
  Version:  2.5.2   |   Resolution:        
 Keywords:          |  
--------------------+-------------------------------------------------------

Comment(by darkrain42):

 Replying to [comment:9 deryni]:
 > Yeah, I'm not sure what I was thinking about exactly. So I think we can
 ignore it. =)
 >
 > I'm not sure we can correctly handle this case at all though. If we fail
 a connection when we are already encrypted and see
 <starttls><required/></starttls> we will permanently break connections to
 any broken servers which offer starttls over an encrypted connection

 That's broken as-is, right? This would be no worse (and could offer a
 decent error message as to why the connection isn't ever going to work).

 > and we can never be certain if the connection to the actual server is
 encrypted (as opposed to a local proxy of some sort) so we can't safely
 ignore starttls (required or not).

 This should still present a certificate mismatch warning, unless the
 enterprise proxying the connection also installs their own CA and adds it
 to our trust store and signs a cert for, e.g., gmail.com (That's
 particularly evil). There's no way to know that's ever ''not'' the case,
 though. The best we can tell is that Pidgin thinks the connection is
 encrypted and the server strangely doesn't. Perhaps we should throw up a
 warning prompt about a possible MITM?

 If we can't pay attention to starttls and fail the connection and we can't
 safely ignore starttls, what are you suggesting we do? :-)

-- 
Ticket URL: <http://developer.pidgin.im/ticket/7367#comment:10>
Pidgin <http://pidgin.im>
Pidgin


More information about the Tracker mailing list