Comment 20 for bug 640018

Bah! Take a look at item 8 in section 5.1 of the XMPP spec (http://xmpp.org/rfcs/rfc3920.html#tls):
"Certificates MUST be checked against the hostname as provided by the initiating entity (e.g., a user), not the hostname as resolved via the Domain Name System; e.g., if the user specifies a hostname of "example.com" but a DNS SRV (Gulbrandsen, A., Vixie, P., and L. Esibov, “A DNS RR for specifying the location of services (DNS SRV),” February 2000.) [SRV] lookup returned "im.example.com", the certificate MUST be checked as "example.com". If a JID for any kind of XMPP entity (e.g., client or server) is represented in a certificate, it MUST be represented as a UTF8String within an otherName entity inside the subjectAltName, using the [ASN.1] (CCITT, “Recommendation X.208: Specification of Abstract Syntax Notation One (ASN.1),” 1988.) Object Identifier "id-on-xmppAddr" specified in Section 5.1.1 (ASN.1 Object Identifier for XMPP Address) of this document. "

In other words, when Empathy/Telepathy attempts to connect as <email address hidden>, it is right to check for a certificate for gappdomain.com instead of talk.google.com.

So, the real question here is this: should Empathy/Telepathy bend the rules here? I think it would be reasonable to accept a certificate for the domain specified in the Jabber ID _OR_ the server we are actually connecting to.