On 07/10/17 13:15, Ari Pollak wrote: > Are you sure this isn't intended behavior? Why should pidgin trust the > hostname on a certificate just because it matches the ID? If anything, > it seems like having that behavior for a SRV record would be a bug.
I'm pretty sure it's supposed to match the cert to the id. https://wiki.xmpp.org/web/Securing_XMPP https://prosody.im/doc/certificates (Which domain? - note the VirtualHosts in prosody are for the domains your ids are in) The SRV record could be viewed similarly to a CNAME record for a website, where they server may use name-based virtual hosting (with SNI) - the website cert needs to match what the browser asks for in the GET request, and it could have found the ip address from a CNAME chain, or a hosts file entry or anything. I realise now the title, at least, is decidedly misleading. It should probably say "... checks the certificate against the wrong domain ..." Richard