websocket: default TLS config verifies wrong TLS certificate #259
Labels
No labels
bug
CI
documentation
duplicate
enhancement
good first issue
help wanted
i18n
invalid
needs-investigation
ops
proposal
proposal-accepted
proposal-declined
question
refactor
security
testing
upstream
wontfix
Kind: Breaking
Kind: Bug
Kind: Documentation
Kind: Enhancement
Kind: Feature
Kind: Maintenance
Kind: Question
Kind: Security
Kind: Testing
Priority: Critical
Priority: High
Priority: Low
Priority: Medium
Reviewed: Confirmed
Reviewed: Duplicate
Reviewed: Invalid
Status: Blocked
Status: Completed
Status: Help wanted
Status: In progress
Status: Needs feedback
Status: Stale
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: mellium/xmpp#259
Loading…
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
A report has been filed about a potential security issue in the
websocket
package. The default TLS configuration that is constructed if no user TLS config is provided verifies the domain of the websocket connection endpoint discovered via DNS TXT lookups instead of the domain on the original JID, meaning that any attacker that can spoof DNS can point the TXT record at their own domain and it will validate successfully.