Opened 7 years ago

#15111 new defect

Fallback to jid server fails when hitting an SSL cert mismatch with connect server address

Reported by: rubin110 Owned by: deryni
Milestone: Component: XMPP
Version: 2.10.4 Keywords: xmpp, ssl, tls
Cc:

Description

Steps to reproduce:

  1. Install Pidgin
  2. Register a Google account
  3. Open Pidgin
  4. Add a new account with the follow details

Basic tab Protocol: XMPP Username: yourusername Domain: gmail.com Advanced tab Connect server: talk.google.com

  1. Connect
  2. Observe

Expected results: XMPP connection is initiated, TLS handshake is completed, user is authenticated and connected

Actual results: XMPP connection is initiated, TLS handshake fails due to SSL cert mismatch on the domain, talk.google.com provides an SSL cert for gmail.com and Pidgin is expecting a cert for talk.google.com. Pidgin throws up an error detailing the mismatch and provides the user with options on accepting the invalid cert or rejecting it.

Notes: So before anyone pops up and says "clear out the Connect server field to correct the issue" the reason why I'm populating it is to get around the issue where under Tor one can't make SRV look ups successfully. Using talk.google.com in the Connect server field is the only way someone can connect to Google as a XMPP service provider. And yes I know folks will say this is a Tor bug.

After reading #6516 it sounded like the general idea was to verify the cert against the Connect server host address (if one is provided) then fall back onto the Domain host (jid server) if verification fails with the Connect server host address. I see this currently as a defect of Pidgin which should be addressed.

Here's a link to the Tor trac where I've outlined a more in depth use case and what's happening within Pidgin.

https://trac.torproject.org/projects/tor/ticket/1676#comment:41

Thanks.

Change History (0)

Note: See TracTickets for help on using tickets.
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!