[Pidgin] #15239: XMPP: Check id-on-xmppAddr and/or id-on-dnsSRV Subject Alt Names for certs
Pidgin
trac at pidgin.im
Tue Jul 31 17:15:48 EDT 2012
#15239: XMPP: Check id-on-xmppAddr and/or id-on-dnsSRV Subject Alt Names for certs
-------------------------+--------------------------------------------------
Reporter: hildjj | Owner: deryni
Type: enhancement | Status: new
Component: XMPP | Version: 2.10.6
Keywords: |
-------------------------+--------------------------------------------------
'''Summary'''
According to RFC 6120, section 13.7.2 ( http://goo.gl/3oHjq), the client
should check more than just the subject of the certificate to see if there
is a name match. In particular, the Subject Alternative Names for id-on-
xmppAddr and/or id-on-dnsSRV should also be checked for a match with the
domain name that the user entered.
Note: This SHOULD NOT be checking the "Connect Server" for a match, but
the portion after the @ in the user's Jabber ID.
'''Steps to reproduce'''
Connect to a server using SSL or TLS with a cert whose subject does not
match, but which contains a proper Subject Alternative Name, where the
cert is chained back to a trusted CA.
See the scary popup warning about the name mismatch
Click trust
'''Expected results'''
Login happens without security prompt.
'''Actual results'''
Scary security prompt.
'''Regression'''
N/A.
'''Note:'''
Duplicate of Adium 16079 (http://trac.adium.im/ticket/16079), but in
Adium, this code path is handled in an OSX-specific way.
--
Ticket URL: <http://developer.pidgin.im/ticket/15239>
Pidgin <http://pidgin.im>
Pidgin
More information about the Tracker
mailing list