On Fri, Apr 11, 2008 at 9:25 AM, Etan S. C. Reisner <[EMAIL PROTECTED]> wrote: > On Fri, Apr 11, 2008 at 08:06:58PM +0530, Rahul Amaram wrote: >> 1. Does pidgin check the certificate against the domain name >> (company.com) or the server name (jabber.example.com)? It currently >> seems to be verifying against the domain name. Is this expected behaviour? > > In pidgin 2.4.0 and later the connect server should be used when a > hostname is specified in that field, the srv record host if no connect > server is specified and an srv record exists, and the domain otherwise.
We had some discussion about this two months ago and came to the conclusion that Pidgin should verify against the connect server or the domain name, but NOT the srv record. The reasoning for not verifying the certificate against the srv record is that DNS can be poisoned, and so the security provided by the certificate is weakened. Some of this decision is archived at http://developer.pidgin.im/ticket/6516 And so I'd like to point out that this decision negatively impacts the virtual hosting provided by Google's Apps. For example, when I login my [EMAIL PROTECTED] JID using Pidgin, it looks up the srv record, connects to talk.google.com, then presents me with a certificate mismatch warning and asks whether I want to accept or reject the certificate. And I just realized that maybe we should continue setting the connect server to talk.google.com when users create Google Talk accounts within Pidgin (I believe Ethan changed this a few days ago). -Mark _______________________________________________ Support mailing list Support@pidgin.im http://pidgin.im/cgi-bin/mailman/listinfo/support
