jabber.el, an Emacs Jabber client

jabber.el 0.8.91 (was: Re: Back to normality)

On Wed, Dec 21, 2011 at 11:53 PM, Magnus Henoch <magnus.henoch <at> gmail.com> wrote:
> Hi all,
>
> Just wanted to let you know that I just pushed a change that is supposed
> to make jabber.el work equally well with Google Talk as well as some
> servers that didn't like the fix I made a few months ago.  So it would
> be great if you all could test if the latest version in Git is able to
> connect to various Jabber servers.  (ejabberd, Google Talk and Facebook
> seem to work for me.)
>
> I hope to roll a new pretest release before the new year, so you can try
> it out without bothering with Git.

...and by that, I of course meant the Tibetan New Year, which won't be
until 22nd February.  Sorry about the delay...

The files are here:
https://sourceforge.net/projects/emacs-jabber/files/emacs-jabber%20beta%20versions/0.8.91/

The above mentioned change is the only change from 0.8.90 (well, also
fixed the test suite), so if 0.8.90 works well with your Jabber server, the
only reason to upgrade is to provide me with fresh bug reports :) Which
is also, important of course.

Regards,
Magnus

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers

(Continue reading)

headers

Magnus Henoch | 6 Feb 09:25

Re: Supporting open-gnutls-stream

David Engster <deng <at> randomsample.de> writes:

> Emacs24-bzr can be compiled with native libgnutls support so that you no
> longer depend on gnutls-cli being installed. I've attached a tiny patch
> to make jabber.el support this.

Thanks for the patch!  This is something I've been meaning to do for a
long time.  I finally had time to look at your patch, and there's just
one thing that makes me hesitate about committing it: the
`open-gnutls-stream' function disables certificate host name checking,
which strictly speaking makes jabber.el less secure than what's there
now.

It's not exactly clear what the right thing to do here is, though.  This
patch only concerns old-style SSL/TLS connections (typically on port
5223), which are not specified in the XMPP RFCs.  For a STARTTLS
connection, it's clearly specified that the certificate hostname should
match the hostname part of the JID, _not_ the hostname that we end up
connecting to because of DNS SRV records, _but_ when I tried your patch
against Google Talk (where talk.google.com is the host to connect to for
5223-style connections) the certificate is only valid for
talk.google.com as far as I can see.  (On the other hand, certificate
hostname checks currently don't work properly for the DNS SRV case, so I
suspect most people have added "--insecure" to the Emacs gnutls
configuration anyway.)

My best idea right now is to add a new configuration variable for
ignoring certificate hostname mismatch (global or per account?
global would be simpler, both to implement and to configure, but per
account might make sense if you have only one server with a stupid

(Continue reading)

headers

David Engster | 17 Feb 17:43

Re: Supporting open-gnutls-stream

Magnus Henoch writes:
> David Engster <deng <at> randomsample.de> writes:
>
>> Emacs24-bzr can be compiled with native libgnutls support so that you no
>> longer depend on gnutls-cli being installed. I've attached a tiny patch
>> to make jabber.el support this.
>
> Thanks for the patch!  This is something I've been meaning to do for a
> long time.  I finally had time to look at your patch, and there's just
> one thing that makes me hesitate about committing it: the
> `open-gnutls-stream' function disables certificate host name checking,
> which strictly speaking makes jabber.el less secure than what's there
> now.

[...]

> My best idea right now is to add a new configuration variable for
> ignoring certificate hostname mismatch (global or per account?
> global would be simpler, both to implement and to configure, but per
> account might make sense if you have only one server with a stupid
> certificate), and hack jabber-conn to use `open-network-stream' and
> 'gnutls-negotiate', taking this variable into account.  And hopefully
> that should be easy to do for the STARTTLS case as well.
>
> Thoughts, ideas and opinions are very welcome.

I think using gnutls-negotiate directly and let the user choose to
ignore possible certificate errors is the way to go. I think the Gnus
guys do the same, or are at least planning to do so[1].  Of course it
would be better if this could be done per account, but if this is too

(Continue reading)

Mon	Tue	Wed	Thu	Fri	Sat	Sun

		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29

3	May 2012
1	April 2012
21	March 2012
3	February 2012
1	January 2012
6	December 2011
2	November 2011
10	October 2011
1	September 2011
19	August 2011
3	March 2011
6	December 2010
9	October 2010
7	September 2010
4	August 2010
5	July 2010
13	May 2010
1	March 2010
7	February 2010
1	January 2010
9	December 2009
2	November 2009
1	October 2009
20	September 2009
12	August 2009
7	July 2009
2	June 2009
4	May 2009
18	April 2009
11	March 2009
3	February 2009
8	January 2009
12	December 2008
9	November 2008
19	October 2008
17	September 2008
3	July 2008
2	June 2008
11	May 2008
6	April 2008
15	March 2008
22	February 2008
30	January 2008
3	December 2007
5	November 2007
3	October 2007
15	September 2007
39	August 2007
42	July 2007
5	June 2007
20	May 2007
19	April 2007
27	March 2007
5	February 2007
1	January 2007
6	December 2006
9	November 2006
3	September 2006
6	August 2006
13	July 2006
13	June 2006
7	May 2006
15	April 2006
11	March 2006
7	February 2006
43	January 2006
25	December 2005
2	November 2005
10	October 2005
40	September 2005
5	August 2005
29	June 2005
16	May 2005
23	April 2005
16	March 2005
14	February 2005
66	January 2005
24	December 2004