[Pidgin] #15111: Fallback to jid server fails when hitting an SSL cert mismatch with connect server address

Pidgin trac at pidgin.im
Sat May 12 00:05:20 EDT 2012 

#15111: Fallback to jid server fails when hitting an SSL cert mismatch with connect
server address
----------------------------+-----------------------------------------------
 Reporter:  rubin110        |     Owner:  deryni
     Type:  defect          |    Status:  new   
Component:  XMPP            |   Version:  2.10.4
 Keywords:  xmpp, ssl, tls  |  
----------------------------+-----------------------------------------------
 Steps to reproduce:
 1. Install Pidgin
 2. Register a Google account
 3. Open Pidgin
 4. Add a new account with the follow details

 '''Basic tab'''
 Protocol: XMPP
 Username: yourusername
 Domain: gmail.com
 '''Advanced tab'''
 Connect server: talk.google.com

 5. Connect
 6. Observe

 Expected results:
 XMPP connection is initiated, TLS handshake is completed, user is
 authenticated and connected

 Actual results:
 XMPP connection is initiated, TLS handshake fails due to SSL cert mismatch
 on the domain, talk.google.com provides an SSL cert for gmail.com and
 Pidgin is expecting a cert for talk.google.com. Pidgin throws up an error
 detailing the mismatch and provides the user with options on accepting the
 invalid cert or rejecting it.

 Notes:
 So before anyone pops up and says "clear out the Connect server field to
 correct the issue" the reason why I'm populating it is to get around the
 issue where under Tor one can't make SRV look ups successfully. Using
 talk.google.com in the Connect server field is the only way someone can
 connect to Google as a XMPP service provider. And yes I know folks will
 say this is a Tor bug.

 After reading #6516 it sounded like the general idea was to verify the
 cert against the Connect server host address (if one is provided) then
 fall back onto the Domain host (jid server) if verification fails with the
 Connect server host address. I see this currently as a defect of Pidgin
 which should be addressed.

 Here's a link to the Tor trac where I've outlined a more in depth use case
 and what's happening within Pidgin.

 https://trac.torproject.org/projects/tor/ticket/1676#comment:41

 Thanks.

-- 
Ticket URL: <http://developer.pidgin.im/ticket/15111>
Pidgin <http://pidgin.im>
Pidgin

More information about the Tracker mailing list