[jdev] Interop Preparation
fippo at goodadvice.pages.de
Thu Nov 18 01:38:01 CST 2010
>> bear wrote:
>>> We will be setting up a test domain and will be providing a CA, so
>>> each server would:
>>> - have an issued Certificate(s)
> 2010/11/10 Philipp Hancke<fippo at goodadvice.pages.de>:
>> Testing cases where it should not work (like revoked certificates) is more
>> interesting than making sure things work. Testing the verification of
>> domain-based application service identity would be nice, too.
> For that additional testing, the XSF could provide also wrong certs:
> one revoked, another for a dummy domain, etc. And then the server
> administrators setup additional vhosts which use those certs.
That requires two modes of operation for the servers:
- oh-yeah-tls-is-so-cool: Basically the normal mode of operation as
currently used on "the public network" where servers ignore revoked
(expired, ...) certs or the mismatch of the certificate for "dummy domain".
- tls-as-defined-in-the-specs: if a server connects to another server
and does not get a valid and trusted certificate for the expected peer
domain it will disconnect. Additionally, that server will not allow
another server to use dialback, but require XEP 0178 style authentication.
Do we bother with testing dialback, too?
Dave: if you could generate certificates signed by an intermediate CA
that would be nice to test if servers actually send the whole chain.
More information about the JDev