From: SourceForge.net <no...@so...> - 2013-01-14 01:21:21
|
Bugs item #2950401, was opened at 2010-02-12 00:12 Message generated for change (Comment added) made by legoscia You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=586350&aid=2950401&group_id=88346 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Connectivity Group: Git >Status: Closed >Resolution: Fixed Priority: 5 Private: No Submitted By: Nobody/Anonymous (nobody) Assigned to: Nobody/Anonymous (nobody) Summary: Invalid TLS certificate checking Initial Comment: Debian bug report (see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=569338): when connecting via TLS, jabber.el does not check for the correct CN in the certificate: Jabber-ID: bo...@ex.../Emacs DNS: _xmpp-client._tcp.example.com IN SRV 50 50 5022 jabber.example.org. jabber.el now looks up the SRV entry and connects to jabber.example.org. It then expects the certificate's CN to match "jabber.example.org", but it should expect "example.com" as documented in RFC 3920: Certificates MUST be checked against the hostname as provided by the initiating entity (e.g., a user), not the hostname as resolved via the Domain Name System; e.g., if the user specifies a hostname of "example.com" but a DNS SRV lookup returned "im.example.com", the certificate MUST be checked as "example.com". -- http://xmpp.org/rfcs/rfc3920.html#tls, 8. ---------------------------------------------------------------------- >Comment By: Magnus Henoch (legoscia) Date: 2013-01-13 17:21 Message: This is fixed with the new "native" TLS connection feature; see jabber-starttls-process-input in jabber-conn.el. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=586350&aid=2950401&group_id=88346 |