[jdev] Interop Preparation
dave at cridland.net
Thu Nov 18 05:08:57 CST 2010
On Thu Nov 18 07:38:01 2010, Philipp Hancke wrote:
> Badlop wrote:
>>> bear wrote:
>>>> We will be setting up a test domain and will be providing a CA,
>>>> each server would:
>>>> - have an issued Certificate(s)
>> 2010/11/10 Philipp Hancke<fippo at goodadvice.pages.de>:
>>> Testing cases where it should not work (like revoked
>>> certificates) is more
>>> interesting than making sure things work. Testing the
>>> verification of
>>> domain-based application service identity would be nice, too.
>> For that additional testing, the XSF could provide also wrong
>> one revoked, another for a dummy domain, etc. And then the server
>> administrators setup additional vhosts which use those certs.
> That requires two modes of operation for the servers:
> - oh-yeah-tls-is-so-cool: Basically the normal mode of operation as
> currently used on "the public network" where servers ignore revoked
> (expired, ...) certs or the mismatch of the certificate for "dummy
Different servers do, and do not do, CRL checking. M-Link R14.6 does
not, whereas M-Link R15.0 can do (if asked). I don't think servers
trust incorrect or expired certificates ever, do they?
> - tls-as-defined-in-the-specs: if a server connects to another
> server and does not get a valid and trusted certificate for the
> expected peer domain it will disconnect. Additionally, that server
> will not allow another server to use dialback, but require XEP 0178
> style authentication.
You can even place M-Link in such a mode, but it'll continue to
accept a trusted certificate that's been revoked, but won't allow it
to be used for authentication. In addition, you can require (from
some or all peers) that a trusted, unrevoked, valid certificate is to
be presented prior to authentication.
> Do we bother with testing dialback, too?
May as well. If anyone is doing dialback-without-dialback, I'd be
> Dave: if you could generate certificates signed by an intermediate
> CA that would be nice to test if servers actually send the whole
I'm not generating the certificates, but yes, that should be possible.
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at dave.cridland.net
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
More information about the JDev