Bug 35410

Summary: Implement ServerTLSConnection.ReferenceIdentities in gabble
Product: Telepathy Reporter: Stef Walter <stefw>
Component: gabbleAssignee: Telepathy bugs list <telepathy-bugs>
Status: RESOLVED FIXED QA Contact: Telepathy bugs list <telepathy-bugs>
Severity: normal    
Priority: medium CC: sjoerd, stefw
Version: git masterKeywords: patch
Hardware: Other   
OS: All   
URL: http://git.collabora.co.uk/?p=user/stefw/telepathy-gabble.git;a=shortlog;h=refs/heads/reference-identities
Whiteboard:
i915 platform: i915 features:
Bug Depends on: 35395, 35408    
Bug Blocks: 35415    

Description Stef Walter 2011-03-18 02:49:24 UTC 
ServerTLSConnection.ReferenceIdentities is a way for a connection manager to indicate that there can be more than one expected identity for a certificate on the other side of a TLS connection.

This patch implements support for reference identities in gabble for XMPP connections TLS connections. The first reference identity is always the source domain of the XMPP JID. The second reference identity is the overridden server name (when such is explicitly specified).

Use Case
========

 * Fry follows google's instructions [1] when setting up his XMPP
   client with google talk. The instructions ask him to override the
   server name with 'talk.google.com'.
 * Fry gets a scary certificate warning that there's someone trying
   to screw with his encrypted connection.
 * Fry gets used to certificate warnings, and sees them as an expected
   part of using his computer.
 * Alternatively Fry uses pidgin or other XMPP clients which don't
   produce a warning in this situation.

Obviously we should never use reference identities that were not specified by the user either through direct configuration or a choice of some sort. Both the reference identities (JID domainpart, and server override) implemented by this patch are explicitly specified by the user.

I will be filling another ticket for implementing support for this in empathy. Will be attaching patches.
Comment 1 Stef Walter 2011-03-18 04:08:04 UTC 
In the future we may choose to have an explicit account parameter which provides additional reference identities.

This could be useful so that when the user chooses GTalk from the account type listing, we automatically add talk.google.com to the list of additional reference identities. Note that we would checking the certificate identity against a the user's choice or configuration in this case, and as such it is a valid reference identity.

This is similar but not directly related to how we add fallback servers for GTalk.

However this patch does not add support for these additional reference identities at this point.
Comment 2 Stef Walter 2011-03-18 06:36:18 UTC 
Comments from sjoerd:

<sjoerd> stefw: yeah having the account parameters set two connection time options is quite confusing as well
<stefw> sjoerd: i don't mind changing it. we need some way to bring over the user's explicit server override.
<sjoerd> we should just always have explicit-server in connection.c the only thing the user sets and have connect server pick that up :)
<stefw> alright
<sjoerd> and have connect-server be read-only and the server we're connected to
<stefw> will do.

Made changes and pushed to my reference-identities branch.
Comment 3 Stef Walter 2011-03-18 09:58:50 UTC 
Added test. Sadly can't test the case where server is not specified, as that doesn't work with the tests.
Comment 4 Jonny Lamb 2011-03-28 09:12:34 UTC 
Looks good. Just one question really.

+  /* And secondly the an explicitly overridden server */
+  connect_server = NULL;
+  g_object_get (tp_base_channel_get_connection (TP_BASE_CHANNEL (self)),
+      "connect-server", &connect_server, "explicit-server", &explicit_server,
+      NULL);

Why do you set connect_server to NULL but not explicit_server? Am I missing something.

Also, please have these on different lines so you have:

  "property-name", &location_to_store,
  "property-name", &location_to_store,

Also the comment English is a little broken.
Comment 5 Stef Walter 2011-03-28 09:35:30 UTC 
Thanks Jonny. Done. Could you help me merge this? Hopefully after this I can request my telepathy group permissions.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.