Copyright © 2010 Collabora Limited This library is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more details. You should have received a copy of the GNU Lesser General Public License along with this library; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. (as stable API)

A channel type that carries a TLS certificate between a server and a client connecting to it.

Channels of this kind always have Requested = False, TargetHandleType = None and TargetHandle = 0, and cannot be requested with methods such as CreateChannel. Also, they SHOULD be dispatched while the Connection owning them is in the CONNECTING state.

In this case, handlers SHOULD accept or reject the certificate, using the relevant methods on the provided object, or MAY just Close the channel before doing so, to fall back to a non-interactive verification process done inside the CM.

For example, channels of this kind can pop up while a client is connecting to an XMPP server.

A TLSCertificate containing the certificate chain as sent by the server, and other relevant information.

The hostname or domain that the user expects to connect to. Clients SHOULD use the ReferenceIdentities property to verify the identity of the certificate. Clients MAY display this hostname to the user as the expected identity. Clients SHOULD use this property to lookup pinned certificates or other user preferences for the connection.

If this property is not present, clients SHOULD use the Hostname property as the reference identity to validate server certificates against.

The identities of the server we expect ServerCertificate to certify; clients SHOULD verify that ServerCertificate matches one of these identities when checking its validity.

This property MUST NOT be the empty list; it MUST contain the value of the Hostname property. All other identities included in this property MUST be derived from explicit user input or choices, such as Parameters passed to RequestConnection.

The primary use for this property is for XMPP services hosted by Google Apps. When connecting to Google Talk using an @gmail.com JID, the server correctly presents a certificate for gmail.com; however, for domains hosted via Google Apps, a certificate for talk.google.com is offered, due to unresolved technical limitations.

If the user has explicitly chosen to create a Google Talk account, then trusting a certificate for talk.google.com is reasonable. To handle this case, the connection manager may add the values of any or all of the server, fallback-server and extra-identities parameters; the Google Talk account creation user interface may set these parameters appropriately, or the user may set them for accounts with other services.