[Telepathy] MSN using XMPP-- SSL warnings
Pedro Francisco
pedrogfrancisco at gmail.com
Thu Jan 17 07:10:21 PST 2013
On Fri, Dec 7, 2012 at 12:21 PM, Will Thompson
<will.thompson at collabora.co.uk> wrote:
> On 07/12/12 12:09, Simon McVittie wrote:
>>
>> On 06/12/12 15:46, Pedro Francisco wrote:
>>>
>>> The hostname verified by the certificate doesn't match the server name.
>>>
>>> Expected hostname: messenger.live.com
>>> Certificate hostname: *.gateway.messenger.live.com
>>
>>
>> I get this too. It looks like an error at Microsoft's end: they're using
>> a valid certificate, but for the wrong server name. Their
>> documentation[1] says the server's official name (and the one we should
>> connect to) is messenger.live.com, so their certificate needs to have
>> that as its CN or as one of its "alternative names".
>>
>> This should affect non-Telepathy clients equally: if a client is
>> unaffected, then either it's talking to an unaffected server (they use
>> multiple servers with geolocation, so it's not necessarily the case that
>> all their servers have this error), or it's not validating certificates
>> properly (a security flaw in that client).
>>
>> Xavier is the owner of our GOA app key - I think he has some way to
>> contact Microsoft?
>>
>> If this isn't fixed for a long time, it would be possible to work around
>> it (in Gabble, gnome-online-accounts or even Empathy);
>
>
> Empathy already attempts to work around this. Empathy sets:
>
> PARAM ("param-extra-certificate-identities",
> "*.gateway.messenger.live.com");
>
> which should show up in the
> http://telepathy.freedesktop.org/spec/Channel_Type_Server_TLS_Connection.html#Property:ReferenceIdentities
> property, which empathy-auth-client.c passes to empathy-tls-verifier.
>
> I wonder what's broken.
It no longer happens on F18 but I can't be sure until I do a clean
install (just in case I clicked the 'don't check cert' checkbox).
More information about the telepathy
mailing list