[Adium-devl] Ticket #8787 (XMPP cert checking)

[Andreas Monitzer]

On Jan 09, 2008, at 21:32, Chris Forsythe wrote:

> The majority of users (those who reported in) use gtalk, so we really
> do need a nonsucky solution for them or we're going to continually
> see bug reports on this.

The way I fixed #8787 is this:
* When the user enters a JID but no hostname, an SRV lookup is done  
and Adium connects to the host provided by the SRV result, but the  
certificate is still checked against the host-part of the JID.
* When the user enters a JID and a hostname, Adium connects to that  
hostname (using the A record only), and checks the certificate against  
the hostname provided by the user, ignoring the JID.

This is how I understood the RFC.

The gtalk-users aren't using the XMPP service, but the gtalk service.  
We can force the hostname to be talk.google.com for that kind of  
server (it's probably already done that way). If we use this for  
Google for domains, too (this has to be verified! There were some  
issues with that approach IIRC), there shouldn't be a problem with  
gtalk at least.

On Jan 09, 2008, at 19:28, Peter Saint-Andre wrote:

> 2. If the server presents a certificate for a hostname other than  
> the account domain, prompt the user to do one of the following:
>
>   a. cancel the connection
>   b. accept the certificate for this session, then connect
>   c. accept the certificate permanently, then connect

Apple's trust sheet only allows two options (with a non-functional  
checkbox for "always allow this certificate" [1]). Right now, only a  
and b are implemented. I'm thinking of moving this to a and c.

andy

[1] The checkbox isn't really non-functional, it just doesn't do what  
the user expects: Even when the certificate is marked as trusted, the  
CN is still checked and this might cause the trust to fail.