Hi developers:
Nowadays we made a large scale security static analysis on several open source projects, and found some mistakes in libstrophe-0.8.8. In the @src/Tls_openssl.c:68:
tls_t *tls_new(xmpp_ctx_t *ctx, sock_t sock)
{
tls_t *tls = xmpp_alloc(ctx, sizeof(*tls));

if (tls) { int ret; memset(tls, 0, sizeof(*tls)); tls->ctx = ctx; tls->sock = sock; tls->ssl_ctx = SSL_CTX_new(SSLv23_client_method()); SSL_CTX_set_client_cert_cb(tls->ssl_ctx, NULL); SSL_CTX_set_mode (tls->ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); SSL_CTX_set_verify (tls->ssl_ctx, SSL_VERIFY_NONE, NULL); tls->ssl = SSL_new(tls->ssl_ctx); 

[..]
}

The parameter SSL_VERIFY_NONE here can not configure this built-in certificate validation,so the handshake can continue even the cert is invalid.We recommand you use SSL_VERIFY_PEER to guarantee the security.We have send the bug report to Ubuntu launchpad,and also inform you of such news.Here are the link:
https://bugs.launchpad.net/ubuntu/+source/libstrophe/+bug/1677511