[jdev] Interop Preparation

Philipp Hancke fippo at goodadvice.pages.de
Thu Nov 18 01:38:01 CST 2010

Badlop wrote:
>> bear wrote:
>>> We will be setting up a test domain and will be providing a CA, so
>>> each server would:
>>>   - have an issued Certificate(s)
> 2010/11/10 Philipp Hancke<fippo at goodadvice.pages.de>:
>> Testing cases where it should not work (like revoked certificates) is more
>> interesting than making sure things work. Testing the verification of
>> domain-based application service identity would be nice, too.
> For that additional testing, the XSF could provide also wrong certs:
> one revoked, another for a dummy domain, etc. And then the server
> administrators setup additional vhosts which use those certs.

That requires two modes of operation for the servers:
- oh-yeah-tls-is-so-cool: Basically the normal mode of operation as 
currently used on "the public network" where servers ignore revoked 
(expired, ...) certs or the mismatch of the certificate for "dummy domain".

- tls-as-defined-in-the-specs: if a server connects to another server 
and does not get a valid and trusted certificate for the expected peer 
domain it will disconnect. Additionally, that server will not allow 
another server to use dialback, but require XEP 0178 style authentication.

Do we bother with testing dialback, too?

Dave: if you could generate certificates signed by an intermediate CA 
that would be nice to test if servers actually send the whole chain.



More information about the JDev mailing list