[jdev] Why STARTTLS? [was: IMPORTANT www.jabber.org software listings]

Jefferson Ogata Jefferson.Ogata at noaa.gov
Mon Feb 25 19:42:59 CST 2008

On 2008-02-26 00:00, Alexander Gnauck wrote:
> Jefferson Ogata schrieb:
>> How, exactly, do you know? I.e. what specific prenegotiation informs 
>> the XMPP server which domain certificate to use? Traditional STARTTLS 
>> (e.g. in ESMTP and LDAP), AFAIK, has no such provision; this would 
>> have to be an XMPP-specific augmentation.
> from the stream header which gets sent before TLS is established.

Interesting. So you're saying the server looks at the @to attribute in 
<stream> and chooses a certificate based on that value?

>> And how useful is this? The traditional place where polymorphic 
>> certificates have been desired is in HTTP servers, where running 
>> multiple SSL services requires an IP for each.
> You can host unlimited vhosts on the same IP with StartTLS which is a 
> big advantage. XMPP is much nicer in this scenarios than HTTP is.

Yes, it's an advantage. The size of the advantage varies with the IP 
space available to the server operator and the number of domains to be 

>> Do people actually do this with XMPP as well? Often?
> yes they do

Can you name two? I would be interested in examining this behavior.

Do servers supporting multiple certificates send server-to-server 
messages internally when a client from one domains sends a message to a 
client from another domain?

Jefferson Ogata <Jefferson.Ogata at noaa.gov>
NOAA Computer Incident Response Team (N-CIRT) <ncirt at noaa.gov>
"Never try to retrieve anything from a bear."--National Park Service

More information about the JDev mailing list