Bug 389481 - missing SSL verification with gnutls and mcabber 0.9.4
missing SSL verification with gnutls and mcabber 0.9.4
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: mcabber (Show other bugs)
9
All Linux
low Severity low
: ---
: ---
Assigned To: Michael Fleming
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-11-18 12:00 EST by Till Maas
Modified: 2008-10-30 08:54 EDT (History)
1 user (show)

See Also:
Fixed In Version: 0.9.5-1.fc8
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-10-30 08:54:00 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Till Maas 2007-11-18 12:00:56 EST
Description of problem:

I just noticed that mcabber does not verify the commonname of a certificate 
with gnutls. E.g. when there is the following situation:

A server is reachable via foo.example.com and bar.example.com and provides an 
certificate with the common name bar.example.com. When I connect to the 
server via "set server = foo.example.com", mcabber compiled with openssl 
gives this error:

jab_start: SSL negotiation failed: server certificate cn mismatch

but mcabber with gnutls does not complain.

Version-Release number of selected component (if applicable):

mcabber-0.9.4-1.fc7

How reproducible:

always

Steps to Reproduce:
1. enable ssl verification
2. connect to a server with a different hostname than the common name of the
certificate it uses
  
Actual results:
mcabber connects happily

Expected results:
mcabber should quit with, e.g. the following message:
jab_start: SSL negotiation failed: server certificate cn mismatch

Additional info:

I just reported this upstream. I guess a good workaround until upstream released
a fixed version is to use openssl-devel as BR instead of gnutls-devel.
Comment 1 Till Maas 2007-11-18 12:39:43 EST
(In reply to comment #0)

> I just reported this upstream. I guess a good workaround until upstream released
> a fixed version is to use openssl-devel as BR instead of gnutls-devel.

This is known beheaviour. So please compile it with openssl instead of gnutls
support.
Comment 2 Michael Fleming 2007-12-05 05:52:09 EST
Thanks Till, I've committed 0.9.5-1 to CVS (adding Paul Wolters' patch for this
and OTR support) and it's building on F8 now.

That'll teach me to try and be clever.. :-P

Michael.
Comment 3 Fedora Update System 2007-12-06 17:49:40 EST
mcabber-0.9.5-1.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update mcabber'
Comment 4 Fedora Update System 2007-12-06 17:50:29 EST
mcabber-0.9.5-1.fc7 has been pushed to the Fedora 7 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update mcabber'
Comment 5 Fedora Update System 2007-12-20 14:52:09 EST
mcabber-0.9.5-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Fedora Update System 2007-12-20 14:53:08 EST
mcabber-0.9.5-1.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Till Maas 2008-10-08 17:35:04 EDT
FYI: Even mcabber 0.9.8 does not support certificate verification with gnutls (I just checked) and it seems that F9 and rawhide mcabber packages are again compiled agains gnutls instead of openssl. Please consider building them against openssl, too. Btw. please respond at least with a short message, if you read this, otherwise I will assume this message was lost and open a fresh bug report.
Comment 8 Michael Fleming 2008-10-08 18:15:17 EDT
I'm planning on pushing out 0.9.8 compiled against OpenSSL anyway, thanks for prompting / reminding me. Linking against gnutls seemed like a good idea at the time but as you've noted it's had a couple of regressions / less-than-stellar behaviours, so I'm more than happy to back that change out.

I'll import 0.9.8 with OpenSSL when I get home from work this evening :-)
Comment 9 Fedora Update System 2008-10-12 08:00:38 EDT
mcabber-0.9.9-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/mcabber-0.9.9-1.fc9
Comment 10 Fedora Update System 2008-10-15 22:05:45 EDT
mcabber-0.9.9-1.fc9 has been pushed to the Fedora 9 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update mcabber'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-8812
Comment 11 Fedora Update System 2008-10-30 08:53:57 EDT
mcabber-0.9.9-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.