Skip to content

Use device ID from client SSL certificate, not UDP packet

Vladimir Panteleev requested to merge vpanteleev/kdeconnect-kde:pull-20210925-125139 into master

Consider the following scenario:

  1. We send a UDP broadcast
  2. We receive a reply from 192.168.0.1 with device ID "foo"
  3. We connect to 192.168.0.1, and find that the device's certificate is actually for a different ID "bar". This could be because the packet did not actually originate from 192.168.0.1, or this host is malicious / malfunctioning.
  4. We remember that device ID "foo" has certificate with common name "bar".
  5. When we finally attempt to connect to the real device ID "foo", we reject their certificate (common name "foo"). We can now never successfully connect to "foo".

On some network (mis-)configurations, this completely prevents kdeconnectd from connecting to any peers, because a reply which is seen as originating from the local interface address will cause kdeconnectd to immediately connect to itself and remember its own certificate.

Address this by using the certificate display name of the peer, which will match the real device ID.

Merge request reports