[jdev] virtual hosting and certificate checking

Brian Campbell bacam at z273.org.uk
Wed Mar 1 14:57:55 CST 2006

On Wed, Mar 01, 2006 at 11:42:53AM -0700, Peter Saint-Andre wrote:
> There are two possibilities I can see.
> 1. Every time shakespeare.lit adds a new virtual host, it needs to
> generate a new certificate. This is a real pain because of how
> certificates are usually generated (e.g., now William Shakespeare needs
> to be a root contact for denmark.lit, montague.lit, etc.).

Well, he could also get a single certificate with a wildcard

> 2. Clients open TCP connections to shakespeare.lit (rather than
> denmark.lit etc.) but specify the desired virtual hostname in the 'to'
> address of the stream header, then check the certificate presented by
> the server as either 'shakespeare.lit' or 'denmark.lit' (etc.).
> Option #2 is not explicitly forbidden by RFC 3920 as far as I can see,
> because the phrase "the hostname as provided by the initiating entity"
> is ambiguous -- it could mean
> (a) the hostname at which the TCP connection was opened or

As far as I can see, this is only allowed if the hostname was explicitly
given by the user (or something acting on their behalf).  If you
resolved a SRV record, it's explicitly forbidden.  After all, you've
no reason to believe the DNS, and nothing other than the certificate to
link the domain you want with the server you've connected to.

> (b) the hostname of the stream header's 'to' address.

That's what I took it to mean.

The use of "hostname" in that bit of the XMPP RFC surprised me though.
Surely it's almost always a domain name, and you'll look up the


More information about the JDev mailing list