[Bug 640018] Re: empathy throws untrusted certificate warning on google chat services using google apps (non-google domains)
Alex Wauck
640018 at bugs.launchpad.net
Sun Jan 23 19:22:39 UTC 2011
Bah! Take a look at item 8 in section 5.1 of the XMPP spec (http://xmpp.org/rfcs/rfc3920.html#tls):
"Certificates MUST be checked against the hostname as provided by the initiating entity (e.g., a user), not the hostname as resolved via the Domain Name System; e.g., if the user specifies a hostname of "example.com" but a DNS SRV (Gulbrandsen, A., Vixie, P., and L. Esibov, “A DNS RR for specifying the location of services (DNS SRV),” February 2000.) [SRV] lookup returned "im.example.com", the certificate MUST be checked as "example.com". If a JID for any kind of XMPP entity (e.g., client or server) is represented in a certificate, it MUST be represented as a UTF8String within an otherName entity inside the subjectAltName, using the [ASN.1] (CCITT, “Recommendation X.208: Specification of Abstract Syntax Notation One (ASN.1),” 1988.) Object Identifier "id-on-xmppAddr" specified in Section 5.1.1 (ASN.1 Object Identifier for XMPP Address) of this document. "
In other words, when Empathy/Telepathy attempts to connect as
user at gappdomain.com, it is right to check for a certificate for
gappdomain.com instead of talk.google.com.
So, the real question here is this: should Empathy/Telepathy bend the
rules here? I think it would be reasonable to accept a certificate for
the domain specified in the Jabber ID _OR_ the server we are actually
connecting to.
--
You received this bug notification because you are a member of
Telepathy, which is subscribed to empathy in ubuntu.
https://bugs.launchpad.net/bugs/640018
Title:
empathy throws untrusted certificate warning on google chat services
using google apps (non-google domains)
More information about the Ubuntu-telepathy
mailing list