[jdev] X.509 clientAuth and serverAuth bits in s2s TLS
stpeter at stpeter.im
Mon Jan 26 15:25:16 CST 2009
[Please send follow-ups to the security at xmpp.org list.]
In certificates used for web servers, it is possible to set the
clientAuth and serverAuth bits in certs offered by a browser or a web
Life is a little more complicated in XMPP because an XMPP server can act
as a TLS client for server-to-server (s2s) connections. That is, the
XMPP server that initiates the s2s connection acts as a TLS client and
the XMPP server that receives the s2s connection acts as a TLS server.
Therefore an XMPP server can act as either a TLS client or a TLS server.
My question is: do any XMPP server codebases (or the TLS libraries they
use) depend on inclusion of the clientAuth or serverAuth bits in order
to function properly? The problem I foresee is that an XMPP server might
fail on an attempt to encrypt an s2s connection if the cert presented by
the peer server does not include the clientAuth or serverAuth bit.
More information about the JDev