On 01/23/2011 05:56 PM, Ben Bucksch wrote:
I am trying to implement XMPP, in chrome-JS.XMPP resolves the server hostname using DNS SRV lookups, so if I want to get the server for "foo.com", I may end up with e.g. "abcdxmpp.foo.com" as hostname. The user opened the connection to "foo.com", though, and the SSL certificate is for "foo.com", not "abcdxmpp.foo.com" (that's how all the clients apparently work). I open a socket (nsISocketTransport) with SSL/STARTTLS, i.e. Ci.nsISocketTransportService.createTransport("starttls", 1, "abcdxmpp.foo.com", 5222, proxyInfo); Now, how do I set the hostname to check the cert against? By default, it uses the hostname that I open the socket to, but in my case of course that gives a "bad_cert_domain" error. Of course I took socket.securityInfo.QueryInterface(Ci.nsISSLSocketControl), I need that to start STARTTLS anyway, but I don't see any way there to set the hostname to check again. From what I understand, the app should be able to tell the security lib which hostname to check against, because we're supposed to check against what the user entered originally, not necessarily what we end up with. Most libs, e.g. java and Python, even require the app author to explicitly set this. So, I assume that possibility is somewhere, I just didn't find the API. Can somebody help?
You might also be able to provide a cert verify callback. Not sure how it would work in JSS, but OpenLDAP does something similar with C code. See http://www.openldap.org/devel/cvsweb.cgi/~checkout~/libraries/libldap/tls_m.c?rev=1.27&hideattic=1&sortbydate=0
The two main entry points are SSL_BadCertHook and SSL_AuthCertificateHook - these give you the ability to "intercept" the SSL_ERROR_BAD_CERT_DOMAIN error and handle it the way you want to.
Ben
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
