[jdev] Interop Preparation

Philipp Hancke fippo at goodadvice.pages.de
Thu Nov 18 12:49:53 CST 2010

Dave Cridland wrote:
> Different servers do, and do not do, CRL checking. M-Link R14.6 does
> not, whereas M-Link R15.0 can do (if asked). I don't think servers trust
> incorrect or expired certificates ever, do they?

I don't think any servers trust incorrect or expired certificates (or 
certificates where the subject does not match the streams from/to) in 
the sense that they allow them to be used for SASL EXTERNAL.
Dialback is used as a fallback in that case, so thing don't break.

Most servers do "trust" such certificates (in a TLS-optional) mode when 
connecting to a peer server in the sense that they continue to connect 
(which mean trusting DNS, not x509). Disconnecting and reconnecting 
without TLS would be rather silly.

That interpretation of "tls optional" has a rather nasty side-effect:
it decreases the number of valid and usable s2s certiciates, because 
nobody bothers to fix things (expired certificates, servers that fail to 
send the complete certificate chain up to the root) when it just works 
(TM) with jabber.org.

>> Do we bother with testing dialback, too?
> May as well. If anyone is doing dialback-without-dialback, I'd be
> interested.

I'll see if I can deploy a server with both dwd and bidi.

>> Dave: if you could generate certificates signed by an intermediate CA
>> that would be nice to test if servers actually send the whole chain.
> I'm not generating the certificates, but yes, that should be possible.



More information about the JDev mailing list