[Pidgin] #14774: Pidgin verifies the wrong component of a SSL-certificate
Pidgin
trac at pidgin.im
Tue Nov 29 01:08:01 EST 2011
#14774: Pidgin verifies the wrong component of a SSL-certificate
----------------------+-----------------------------------------------------
Reporter: klaernie | Owner: rekkanoryo
Type: defect | Status: closed
Milestone: | Component: XMPP
Version: 2.10.0 | Resolution: invalid
Keywords: |
----------------------+-----------------------------------------------------
Changes (by darkrain42):
* status: new => closed
* resolution: => invalid
* component: unclassified => XMPP
Comment:
No, Pidgin is not misbehaving. The XMPP protocol is particularly designed
to be paranoid, and the client is expected to validate the certificate
against the domain-part provided *by the user* (or, in the case where a
user explicitly specifies a server to connect to, that), not the result of
the XMPP SRV lookup.
Think of it this way. If you're in a coffee shop on an open wifi, and
your client automatically connects to example.com, the first thing it does
is issue a SRV request for _xmpp-client._tcp.example.com. If my laptop
responds more quickly than another DNS (it's powered by coffee, after
all), or the coffee shop is malicious and feeds you "evil.mydomain.org",
you don't want your client to validate that, when it connects to
"evil.mydomain.org", it receives a valid cert for "evil.mydomain.org" --
you really really really really want it to validate that the cert is for
example.com.
If I've misunderstood what's going on here, perhaps a more concrete
example (debug log, hint hint) would be beneficial.
--
Ticket URL: <http://developer.pidgin.im/ticket/14774#comment:1>
Pidgin <http://pidgin.im>
Pidgin
More information about the Tracker
mailing list