[jdev] wildcards vs. multiple certs

Philipp Hancke fippo at goodadvice.pages.de
Thu Aug 27 00:14:16 CDT 2009

Peter Saint-Andre wrote:
> As a result, it is possible that admins might feel the need to request
> multiple Class 1 certs in order to deploy an XMPP service (if they are
> not able to obtain a Class 2 certificate). For example, at the
> jabber.org service we might use one Class 1 certificate for the domain
> name "jabber.org" and another Class 1 certificate for the domain name
> "conference.jabber.org". This would require our XMPP server software to
> present the "jabber.org" certificate when a peer server attempts to open
> an s2s connection to the jabber.org domain, whereas it would present the
> "conference.jabber.org" certificate when someone from a peer server
> attempts to join a chatroom at the conference.jabber.org MUC service. I
> do not know of any XMPP server software that can present two (or more)
> different certs for s2s connections depending on the domain name
> specified by the peer server.

This is how Matthias implemented s2s TLS in jabberd.

> How would current servers handle this? Do we really need to worry about

Nobody cares about the content of s2s certificates when connecting to a
remote domain. Therefore nobody bothers to present the right certificate.


More information about the JDev mailing list