= General Description =
Pidgin doesn't currently do any certificate verification for SSL. In order to properly do this and ensure security, a certificate manager (something like Mozilla's) needs to be added.

This is [wiki:wehlhard William Ehlhardt]'s project for [wiki:SummerOfCode2007 Summer of Code]

= Branch =
im.pidgin.soc.2007.certmgr

= Handy-dandy overview =
== SSL Ops additions ==

= Issues =
 * Jabber (and possibly others) use the purple_ssl_connect_fd function to build an SSL connection over a previously existing ProxyConnection. Since all the SSL side sees is the file descriptor in this case, hostname verification is impossible. (29 May)
 * talk.google.com gives back a gmail.com certificate?! (29 May)

= Resolved Issues =
 * It looks like PKCS12 (the certificate import/export format) is supported by both libNSS and GnuTLS.

= TODO =
 * General paranoia
 * Look at how the SILC prpl does its key management, especially the organization of the API used to check certs and interact with the user to verify them.
 * Add some way of passing useful error messages back up out of the SSL interface (23 May)
 * Fix purple_ssl_init in sslconn.c; it doesn't do anything (23 May)
  * Talking to nosnilmot suggests that this ought to just be removed outright (24 May)
 * Figure out libNSS everything. (25 May)
 * Why am I getting single-byte serial numbers from servers? (25 May)
 * Work out how to use Glib functions for time checking on certificates. (29 May)
 * Stall the timeouts on the TCP connection while waiting for user input on SSL? (29 May)
 * Worry about ensuring that plugins don't kill in-use ciphers/certschemes when unloaded? (29 May)

= Tasks done =
 * Figure out how to get key fingerprints out of GnuTLS (25 May, 25 May))

= Status =
== 25 May 2007 ==
Divergence point reached. With the addition of purple_base16_encode_chunked, my changes will force at least a minor version increment.
Slapped some code into the GnuTLS SSL plugin and looked at the certificate characteristics coming back. But why am I getting single-byte serial number values back? How large should these serial numbers be?

== 23 May 2007 ==
Using "Document the SSL interface as it exists now" as an excuse to build a branch and learn Doxygen
== 17 May 2007 ==
Reading documentation. Lots of it.

