ServerTLSConnection.ReferenceIdentities is a way for a connection manager to indicate that there can be more than one expected identity for a certificate on the other side of a TLS connection. This patch implements support for reference identities in gabble for XMPP connections TLS connections. The first reference identity is always the source domain of the XMPP JID. The second reference identity is the overridden server name (when such is explicitly specified). Use Case ======== * Fry follows google's instructions [1] when setting up his XMPP client with google talk. The instructions ask him to override the server name with 'talk.google.com'. * Fry gets a scary certificate warning that there's someone trying to screw with his encrypted connection. * Fry gets used to certificate warnings, and sees them as an expected part of using his computer. * Alternatively Fry uses pidgin or other XMPP clients which don't produce a warning in this situation. Obviously we should never use reference identities that were not specified by the user either through direct configuration or a choice of some sort. Both the reference identities (JID domainpart, and server override) implemented by this patch are explicitly specified by the user. I will be filling another ticket for implementing support for this in empathy. Will be attaching patches.
In the future we may choose to have an explicit account parameter which provides additional reference identities. This could be useful so that when the user chooses GTalk from the account type listing, we automatically add talk.google.com to the list of additional reference identities. Note that we would checking the certificate identity against a the user's choice or configuration in this case, and as such it is a valid reference identity. This is similar but not directly related to how we add fallback servers for GTalk. However this patch does not add support for these additional reference identities at this point.
Comments from sjoerd: <sjoerd> stefw: yeah having the account parameters set two connection time options is quite confusing as well <stefw> sjoerd: i don't mind changing it. we need some way to bring over the user's explicit server override. <sjoerd> we should just always have explicit-server in connection.c the only thing the user sets and have connect server pick that up :) <stefw> alright <sjoerd> and have connect-server be read-only and the server we're connected to <stefw> will do. Made changes and pushed to my reference-identities branch.
Added test. Sadly can't test the case where server is not specified, as that doesn't work with the tests.
Looks good. Just one question really. + /* And secondly the an explicitly overridden server */ + connect_server = NULL; + g_object_get (tp_base_channel_get_connection (TP_BASE_CHANNEL (self)), + "connect-server", &connect_server, "explicit-server", &explicit_server, + NULL); Why do you set connect_server to NULL but not explicit_server? Am I missing something. Also, please have these on different lines so you have: "property-name", &location_to_store, "property-name", &location_to_store, Also the comment English is a little broken.
Thanks Jonny. Done. Could you help me merge this? Hopefully after this I can request my telepathy group permissions.
http://cgit.freedesktop.org/telepathy/telepathy-gabble/commit/?id=37cfceaeb41b511c3e87124913eccaf0ca5a034a
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.