Ben, proxy info (the last argument) could make a trick for you. Fill
proxy info with host:port of the server (as it actually stands as a
proxy between the two clients). Let host name passed to
createTransport() be the name of the client. This will make the
underlying TCP socket connect to the server and expect to get updated to
SSL later (as you already do with StartTLS()) and talk to the 'real'
host then.
However, I'm not sure how to resolve a problem when a client is already
behind a proxy server.
-hb-
On 1/24/2011 1:56 AM, Ben Bucksch wrote:
I am trying to implement XMPP, in chrome-JS.
XMPP resolves the server hostname using DNS SRV lookups, so if I want
to get the server for "foo.com", I may end up with e.g.
"abcdxmpp.foo.com" as hostname. The user opened the connection to
"foo.com", though, and the SSL certificate is for "foo.com", not
"abcdxmpp.foo.com" (that's how all the clients apparently work).
I open a socket (nsISocketTransport) with SSL/STARTTLS, i.e.
Ci.nsISocketTransportService.createTransport("starttls", 1,
"abcdxmpp.foo.com", 5222, proxyInfo);
Now, how do I set the hostname to check the cert against?
By default, it uses the hostname that I open the socket to, but in my
case of course that gives a "bad_cert_domain" error.
Of course I took
socket.securityInfo.QueryInterface(Ci.nsISSLSocketControl), I need
that to start STARTTLS anyway, but I don't see any way there to set
the hostname to check again.
From what I understand, the app should be able to tell the security
lib which hostname to check against, because we're supposed to check
against what the user entered originally, not necessarily what we end
up with. Most libs, e.g. java and Python, even require the app author
to explicitly set this. So, I assume that possibility is somewhere, I
just didn't find the API.
Can somebody help?
Ben
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
