[Pidgin] #11142: AOL not logging in with upgrade to 2.6.5 from 2.6.4
Pidgin
trac at pidgin.im
Wed Jan 13 05:37:23 EST 2010
#11142: AOL not logging in with upgrade to 2.6.5 from 2.6.4
----------------------+-----------------------------------------------------
Reporter: dburkard | Owner: rekkanoryo
Type: defect | Status: new
Milestone: | Component: unclassified
Version: 2.6.5 | Resolution:
Keywords: |
----------------------+-----------------------------------------------------
Changes (by MarkDoliner):
* cc: pva (removed)
Comment:
I'm not sure what the best fix is here. The error AOL is giving us is
"useTLS=1 is not allowed for non secure requests." Which is reasonable--
we probably shouldn't be requesting a secure session by making a request
to '''http'''://api.oscar.aol.com/aim/startOSCARSession.
Their documentation
(http://dev.aol.com/aim/web/serverapi_reference#startOSCARSession) does
list useTLS, but doesn't mention using https. So their documentation
doesn't quite jive with this recent change in server behavior.
If I try making the request over https I get the error
"<statusCode>401</statusCode><statusText>Authentication Required.
statusDetailCode
1014</statusText><statusDetailCode>1014</statusDetailCode>"
More importantly, what's the best fix?
I'm pretty confident we could just make that request over http and get rid
of the useTLS=1 parameter and stop looking for their certificate in the
response and things would work. But I believe that would allow for a man-
in-the-middle attack.
Probably we should make this change to get things working in trunk, and
contact AOL to find out what we need to do to use useTLS=1.
--
Ticket URL: <http://developer.pidgin.im/ticket/11142#comment:9>
Pidgin <http://pidgin.im>
Pidgin
More information about the Tracker
mailing list