Opened 7 years ago

#15239 new enhancement

XMPP: Check id-on-xmppAddr and/or id-on-dnsSRV Subject Alt Names for certs

Reported by: hildjj Owned by: deryni
Milestone: Component: XMPP
Version: 2.10.6 Keywords:
Cc:

Description

Summary

According to RFC 6120, section 13.7.2 ( http://goo.gl/3oHjq), the client should check more than just the subject of the certificate to see if there is a name match. In particular, the Subject Alternative Names for id-on-xmppAddr and/or id-on-dnsSRV should also be checked for a match with the domain name that the user entered.

Note: This SHOULD NOT be checking the "Connect Server" for a match, but the portion after the @ in the user's Jabber ID.

Steps to reproduce

Connect to a server using SSL or TLS with a cert whose subject does not match, but which contains a proper Subject Alternative Name, where the cert is chained back to a trusted CA. See the scary popup warning about the name mismatch Click trust

Expected results

Login happens without security prompt.

Actual results

Scary security prompt.

Regression

N/A.

Note:

Duplicate of Adium 16079 (http://trac.adium.im/ticket/16079), but in Adium, this code path is handled in an OSX-specific way.

Change History (0)

Note: See TracTickets for help on using tickets.
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!