[jitsi-dev] SSL validation wrongness


#1

Hello devs,

It seems that Jitsi is doing SSL certificate validation against the
wrong hostname. Scenario is this- I connect using Jitsi with my
andrew@sybaweb.com JID- SRV records are pointing to a machine called
xmpp.sybaweb.co.za. This machine presents a certificate which is valid
for *.sybaweb.co.za (NOT sybaweb.com). Jitsi displays an error
complaining that the certificate is not valid for sybaweb.com,
xmpp-client.sybaweb.com (it isn't - though I don't see that this should
be a problem since this is not the hostname pointed to by the SRV records).

Thank you for your work on this software.

Best,
-AL.


#2

Hey

This is actually intended behavior (by Jitsi as well as the RFCs). Your XMPP server must present a certificate that is valid for your XMPP ID. The hostname of the server itself is irrelevant.
If it weren't this way, anybody could just forge DNS Information and tell the client that he's you.

Regards,
Ingo

ยทยทยท

On 30.12.2011, at 17:21, "Andrew Lewis" <andrew@sybaweb.com> wrote:

Hello devs,

It seems that Jitsi is doing SSL certificate validation against the
wrong hostname. Scenario is this- I connect using Jitsi with my
andrew@sybaweb.com JID- SRV records are pointing to a machine called
xmpp.sybaweb.co.za. This machine presents a certificate which is valid
for *.sybaweb.co.za (NOT sybaweb.com). Jitsi displays an error
complaining that the certificate is not valid for sybaweb.com,
xmpp-client.sybaweb.com (it isn't - though I don't see that this should
be a problem since this is not the hostname pointed to by the SRV records).

Thank you for your work on this software.

Best,
-AL.