From: SourceForge.net <no...@so...> - 2010-02-12 08:12:37
|
Bugs item #2950401, was opened at 2010-02-12 08:12 Message generated for change (Tracker Item Submitted) made by nobody You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=586350&aid=2950401&group_id=88346 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Connectivity Group: v0.8.0 Status: Open Resolution: None Priority: 5 Private: No Submitted By: Nobody/Anonymous (nobody) Assigned to: Nobody/Anonymous (nobody) Summary: Invalid TLS certificate checking Initial Comment: Debian bug report (see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=569338): when connecting via TLS, jabber.el does not check for the correct CN in the certificate: Jabber-ID: bo...@ex.../Emacs DNS: _xmpp-client._tcp.example.com IN SRV 50 50 5022 jabber.example.org. jabber.el now looks up the SRV entry and connects to jabber.example.org. It then expects the certificate's CN to match "jabber.example.org", but it should expect "example.com" as documented in RFC 3920: Certificates MUST be checked against the hostname as provided by the initiating entity (e.g., a user), not the hostname as resolved via the Domain Name System; e.g., if the user specifies a hostname of "example.com" but a DNS SRV lookup returned "im.example.com", the certificate MUST be checked as "example.com". -- http://xmpp.org/rfcs/rfc3920.html#tls, 8. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=586350&aid=2950401&group_id=88346 |