Bug 681079 – Claim that Windows Live certificate isn't valid

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 681079 - Claim that Windows Live certificate isn't valid


Summary:	Claim that Windows Live certificate isn't valid


Status:	RESOLVED FIXED

Product:	empathy
Classification:	Core
Component:	UOA
Version:	2.33.x
Hardware:	Other Linux

Importance:	Normal normal
Target Milestone:	---
Assigned To:	empathy-maint
QA Contact:	empathy-maint

URL:
Whiteboard:

Depends on:
Blocks:

Reported:	2012-08-02 15:39 UTC by Guillaume Desmottes
Modified:	2012-08-03 09:15 UTC

See Also:
GNOME target:	---
GNOME version:	---

Attachments
log (56.79 KB, text/x-log) 2012-08-02 15:39 UTC, Guillaume Desmottes		Details
GOA: set param-extra-certificate-identities for Windows live accounts (1.12 KB, patch) 2012-08-03 09:00 UTC, Guillaume Desmottes	none	Details \| Review
GOA: set param-extra-certificate-identities for Windows live accounts (1.12 KB, patch) 2012-08-03 09:02 UTC, Guillaume Desmottes	committed	Details \| Review

Description Guillaume Desmottes 2012-08-02 15:39:16 UTC

Created attachment 220162 [details]
log

I configured a Windows Live account using UOA and empathy-auth-client claimed its cert wasn't valid:

(empathy-auth-client:5785): empathy-DEBUG: perform_verification: Hostname mismatch: got *.gateway.messenger.live.com but expected messenger.live.com

Comment 1 Guillaume Desmottes 2012-08-02 16:10:36 UTC

We are connecting using the SRV record:

$ dig _xmpp-client._tcp.messenger.live.com SRV +short
10 0 5222 xmpp.messenger.live.com.

Comment 2 Guillaume Desmottes 2012-08-03 09:00:06 UTC

Created attachment 220211 [details] [review]
GOA: set param-extra-certificate-identities for Windows live accounts

Windows live provides a cert for '*.gateway.messenger.live.com'
instead of 'messenger.live.com'. It's not great from them but best to accept
it than confuse users.

Comment 3 Guillaume Desmottes 2012-08-03 09:02:00 UTC

Created attachment 220212 [details] [review]
GOA: set param-extra-certificate-identities for Windows live accounts

Windows live provides a cert for '*.gateway.messenger.live.com'
instead of 'messenger.live.com'. It's not great from them but best to accept
it than confuse users.

Comment 4 Stef Walter 2012-08-03 09:13:54 UTC

Review of attachment 220212 [details] [review]:

Looks good. If the user selects 'Windows Live Account' or something to that effect, then it is completely okay to whitelist certificates we know are associated with that service ... but yes Windows Live sucks for doing this :(

Comment 5 Guillaume Desmottes 2012-08-03 09:15:46 UTC

Attachment 220212 [details] pushed as e3228e2 - GOA: set param-extra-certificate-identities for Windows live accounts