• Merijn Verstraaten's avatar
    Correctly use SRV specified hostname for cert validation (#204) · 3de96080
    Merijn Verstraaten authored
    Initially the XMPPTrustManager queried getServiceName from the
    ConnectionConfiguration and used that for certificate validation. This is a
    bug, because the serviceName corresponds to the hostname of the jabber id. That
    is, if we're trying to connect for account foo@bar.com it corresponds to
    bar.com.
    
    However, we are properly doing a SRV lookup to see which server hosts the
    actual XMPP server for bar.com, which may be on a different hostname. For
    example, everyone hosting their XMPP at fastmail.com will have their XMPP
    server on chat.messagingengine.com. The XMPPTrustManager will then try to
    verify the server's certificate of chat.messagingengine.com against the bar.com
    it expects, which will obviously fail. This issue renders it impossible for
    anyone using a 3rd part XMPP server to connect to their account.
    
    The correct approach is to use the hostname returned by the SRV lookup as the
    hostname checked by XMPPTrustManager. That is, if our SRV lookup for bar.com
    returns chat.messagingengine.com as the XMPP server, we should validate that
    the certificate corresponds to chat.messagingengine.com, NOT bar.com
    3de96080
Name
Last commit
Last update
..
com Loading commit data...
de/measite/smack Loading commit data...
org Loading commit data...