Package: emacs-jabber Version: 0.8.0-1 Severity: important Hi,
when connecting via TLS, jabber.el does not check for the correct CN in the certificate: Jabber-ID: [email protected]/Emacs DNS: _xmpp-client._tcp.example.com IN SRV 50 50 5022 jabber.example.org. jabber.el now looks up the SRV entry and connects to jabber.example.org. It then expects the certificate's CN to match "jabber.example.org", but it should expect "example.com" as documented in RFC 3920: Certificates MUST be checked against the hostname as provided by the initiating entity (e.g., a user), not the hostname as resolved via the Domain Name System; e.g., if the user specifies a hostname of "example.com" but a DNS SRV lookup returned "im.example.com", the certificate MUST be checked as "example.com". -- http://xmpp.org/rfcs/rfc3920.html#tls, 8. The error message given by jabber.el in this case could also be improved: [email protected]/Emacs: connection lost: `nil' More information is only available in the *Messages* buffer: - The hostname in the certificate does NOT match 'jabber.example.org' STARTTLS negotiation failed It would be nice if the error message could at least include "STARTTLS negotiation failed" instead of `nil'. Regards, Ansgar -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (900, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-trunk-amd64 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=ja_JP.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages emacs-jabber depends on: ii dpkg 1.15.5.6 Debian package management system ii emacs22-gtk [emacsen] 22.3+1-1.1 The GNU Emacs editor (with GTK use ii emacs23 [emacsen] 23.1+1-5 The GNU Emacs editor (with GTK+ us ii install-info 4.13a.dfsg.1-5 Manage installed documentation in Versions of packages emacs-jabber recommends: ii gnutls-bin 2.8.5-2 the GNU TLS library - commandline pn xprintidle <none> (no description available) emacs-jabber suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
