[jdev] virtual hosting and certificate checking
dot at dotat.at
Wed Mar 1 13:48:29 CST 2006
On Wed, 1 Mar 2006, Peter Saint-Andre wrote:
> 2. Clients open TCP connections to shakespeare.lit (rather than
> denmark.lit etc.) but specify the desired virtual hostname in the 'to'
> address of the stream header, then check the certificate presented by
> the server as either 'shakespeare.lit' or 'denmark.lit' (etc.).
> Option #2 is not explicitly forbidden by RFC 3920 as far as I can see,
> because the phrase "the hostname as provided by the initiating entity"
> is ambiguous -- it could mean (a) the hostname at which the TCP
> connection was opened or (b) the hostname of the stream header's 'to'
> address. Naturally we'll need to clarify this in rfc3920bis, but my
> question now is: how do existing clients and servers handle this?
I had thought that #2 was the only possible way, because even in the
absence of virtual hosting you must be able to deal with server
components - which from the point of view of other servers are just
For example jabber.org and conference.jabber.org have the same IP address
but the server must present the appropriate certificate to other servers
when they starttls.
f.a.n.finch <dot at dotat.at> http://dotat.at/
FISHER: CYCLONIC 5 TO 7. SNOW SHOWERS. GOOD OCCASIONALLY POOR.
More information about the JDev