Bug #4764
Certificate check against google app for domains accounts
Status: | New | Start date: | 03/22/2015 | |
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 0% | |
Category: | - | |||
Target version: | v15 - AWESOME APP | |||
Component: |
Description
Hi,
It seems that ChatSecure is trying to validate the server certificate against the account domain instead of the server. I have for example a custom domain (example.org) and use Google Apps for domains. As such, ChatSecure needs to connect to (e.g.) talk.google.com, which is the one used in the account. Google's servers serve a certificate that's for google.com, yet that doesn't match the custom domain and ChatSecure complains and awaits the user to confirm the certificate.
The problem is solved if I accept the certificate once (which TBH I'd prefer not to have to do as that's error prone and I have no great way of verifying the certificate). However, specifically for Google, it seems that their servers use a variety of certificates, all of which are valid. I.e. when I connect from the home network I get a certificate with fingerprint Fa while when I connect from the cellular network I get a certificate with fingerprint Fb. Both fully valid to the extend that I can check. This results in ChatSecure asking the same question again and aain.
On top of that, when I enter talk.google.com as the server, this gets auto-magically altered to talk.l.google.com (talk.google.com is a CNAME to talk.l.google.com in my case).
A fix for this would be to verify the server name against the certificate, either exclusively or in addition to the domain of the account. I.e. for the account test@example.org, connecting to server talk.google.com, to verify the certificate against example.org and/or talk.google.com. On top of that, ChatSecure must stop automagically changing the server name to its CNAME (is that on purpose?), because Google's chat servers that server *.google.com certs will fail to verify talk.l.google.com as the * in wildcard certificates doesn't cross domains.
Thanks for ChatSecure btw!
History
#1 Updated by gnomeza almost 3 years ago
Same issue for me.
With two Google Apps for Domains accounts configured in ChatSecure the Accept Mismatching Certificate prompt pops up with frustrating regularity. Accept Always seems to have no effect - the prompt returns every time I change connections.
My workaround, currently, is to kill ChatSecure.
#2 Updated by n8fr8 over 2 years ago
- Target version set to v15 - AWESOME APP
#3 Updated by altj over 2 years ago
I'm seeing the same thing. I'm currently running v14.2 on android.
warning window message:
-----------------
Accept Mismatching Server Name?
Server could not authenticate as "mycustomdomain.com". the certificate is only valid for:
[2] *.google.com
[2] *.android.com
...
Do you want to connect anyway?
Certificate details:
CN=*.google.com, O=Google Inc,
...
-----------------
I have SRV lookups setup for my domain (_jabber._tcp, _xmpp-client._tcp, and _xmpp-server._tcp)
and I've checked "Do SRV Lookup" in the advanced settings but the setting change doesn't stay set.
#4 Updated by justhj2u over 2 years ago
This definitely makes ChatSecure difficult to use. Same issue exactly as described above.