[Pidgin] #14774: Pidgin verifies the wrong component of a SSL-certificate

Pidgin trac at pidgin.im
Tue Nov 29 01:08:01 EST 2011

#14774: Pidgin verifies the wrong component of a SSL-certificate
 Reporter:  klaernie  |        Owner:  rekkanoryo
     Type:  defect    |       Status:  closed    
Milestone:            |    Component:  XMPP      
  Version:  2.10.0    |   Resolution:  invalid   
 Keywords:            |  
Changes (by darkrain42):

  * status:  new => closed
  * resolution:  => invalid
  * component:  unclassified => XMPP


 No, Pidgin is not misbehaving.  The XMPP protocol is particularly designed
 to be paranoid, and the client is expected to validate the certificate
 against the domain-part provided *by the user* (or, in the case where a
 user explicitly specifies a server to connect to, that), not the result of
 the XMPP SRV lookup.

 Think of it this way.  If you're in a coffee shop on an open wifi, and
 your client automatically connects to example.com, the first thing it does
 is issue a SRV request for _xmpp-client._tcp.example.com.  If my laptop
 responds more quickly than another DNS (it's powered by coffee, after
 all), or the coffee shop is malicious and feeds you "evil.mydomain.org",
 you don't want your client to validate that, when it connects to
 "evil.mydomain.org", it receives a valid cert for "evil.mydomain.org" --
 you really really really really want it to validate that the cert is for

 If I've misunderstood what's going on here, perhaps a more concrete
 example (debug log, hint hint) would be beneficial.

Ticket URL: <http://developer.pidgin.im/ticket/14774#comment:1>
Pidgin <http://pidgin.im>

More information about the Tracker mailing list