TLS certificate name check should depend on JID domain

[ivucica]

Bevor you create a new issue:

- [x] I searched for similar issues and did not find one
- [x] I'm using the latest version available in the [Windows Store](https://www.microsoft.com/store/apps/9NW16X9JB5WV)

I'm submitting a...:

• Bug report (I searched for similar issues and did not find one)

Current behavior:

There are some awesome TLS options that I haven't otherwise seen in other clients (presumably because #28). Thanks!

However, I hardcoded name somehostname.example.com in place of having the client do SRV lookup on example.com for [email protected].

I ended up with TLS cert not being accepted and having to turn hostname validation off.

I need to use somehostname.example.com as SRV lookup doesn't seem to work, possibly due to some IPs in the A or AAAA record not working? The client is stuck in the 'Unknown' state.

Expected behavior:

TLS cert should probably be accepted even if it's an HTTP cert issued for example.com, if that's the domainpart of the JID.

Minimal reproduction of the problem with instructions:

1. Use a generic letsencrypt cert valid for example.com, www.example.com and name.example.com with Prosody.
2. Use jid [email protected].
3. Manually specify ipv4only.example.com as your hostname.
4. Client refuses to connect despite cert being valid for example.com.

Environment:

App Version(s): 
v.X.Y.Z <!-- Which version of the App are you using (e.g. v.0.2.0) -->

Windows 10 Version Number: <!-- https://en.wikipedia.org/wiki/Windows_10_version_history -->
- [ ] 1809
- [ ] 1803
- [ ] 1709
- [ ] 1703
- [ ] 1607
- [ ] 1511
- [ ] 1507
- [ ] Insider Build (build number: )
- [x] Misc: 1909

Device form factor:
- [x] Desktop
- [ ] Mobile
- [ ] Xbox
- [ ] Surface Hub

Where did you got the APP from?
- [x] [Windows Store](https://www.microsoft.com/store/apps/9NW16X9JB5WV)
- [ ] Self-build, using a provided release source
- [ ] Self-build, repo cloned at [dd.mm.yyy] <!-- When did you clone the repo! -->
- [ ] Misc, got it from... <!-- Please tell us your source! -->

[COM8]

Hmm...
This is an interesting behaviour I did not expect to happen.
I will have a look at it.

Thanks for reporting!

[COM8]

Would an option for enabling this behavior be sufficient, or should UWPX, as soon as validation with the hostname (e.g. ipv4only.example.com) try to validate the cert for the domain JID name (e.g. example.com)?

[COM8]

@KingKili any thoughts, if this could be exploited somehow?

[COM8]

@ivucica the wird thing is, UWPX should not get stuck in the connecting state...
Do you mind trying to connect again, while logging is set to DEBUG (Settings -> Misc -> Log-Level).

And then upload the resulting logs.zip file here.
Be aware that you might want to cover up sensible information in your logs, before uploading them.

[KingKili]

@KingKili any thoughts, if this could be exploited somehow?

I don't think so. I would even say that in most cases the certificate for jid domain should be the correct one.

[COM8]

Cert. validation should be fixed and will be included in the next release.

[COM8]

@ivucica feel free to reopen this/a new issue if you have logs for the other issue ;)