Bah! Take a look at item 8 in section 5.1 of the XMPP spec (http://xmpp.org/rfcs/rfc3920.html#tls): "Certificates MUST be checked against the hostname as provided by the initiating entity (e.g., a user), not the hostname as resolved via the Domain Name System; e.g., if the user specifies a hostname of "example.com" but a DNS SRV (Gulbrandsen, A., Vixie, P., and L. Esibov, “A DNS RR for specifying the location of services (DNS SRV),” February 2000.) [SRV] lookup returned "im.example.com", the certificate MUST be checked as "example.com". If a JID for any kind of XMPP entity (e.g., client or server) is represented in a certificate, it MUST be represented as a UTF8String within an otherName entity inside the subjectAltName, using the [ASN.1] (CCITT, “Recommendation X.208: Specification of Abstract Syntax Notation One (ASN.1),” 1988.) Object Identifier "id-on-xmppAddr" specified in Section 5.1.1 (ASN.1 Object Identifier for XMPP Address) of this document. "
In other words, when Empathy/Telepathy attempts to connect as [email protected], it is right to check for a certificate for gappdomain.com instead of talk.google.com. So, the real question here is this: should Empathy/Telepathy bend the rules here? I think it would be reasonable to accept a certificate for the domain specified in the Jabber ID _OR_ the server we are actually connecting to. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to empathy in ubuntu. https://bugs.launchpad.net/bugs/640018 Title: empathy throws untrusted certificate warning on google chat services using google apps (non-google domains) -- desktop-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
