[Operators] SSL certificates / private CAs / CACert issue

Philipp Hancke fippo at goodadvice.pages.de
Mon Dec 17 06:50:24 UTC 2012

> We already had some 'excessive' discussion about it with Peter
> Saint-Andre this year and didn't 'solve' it. The only outcome of it was
> that the Jabber.sk service is still not listed in the list of public
> services and the only reason is that it's using certificate signed by
> our internal CA. I did accept that and gave Peter more time to think
> about it as it doesn't harm our service at all.

Peter doesn't have a moral high ground on that topic given that xmpp.org 
(and muc.xmpp.org, hello council :-)) is running with a self-signed 
certificate that
a) doesn't contain xmpp.org or muc.xmpp.org (see RFC 6125)
b) has expired in October 2010
Maybe public shaming helps :-p

> Now let me fall into the situation with SSL certificates in the XMPP
> world in more details.
> Just some months before (and it looks like that also these times) the
> CACert wasn't recognised as an publicly trusted CA by Mozilla foundation
> [2] (Opera and many more too) because they didn't pass their auditing.
> But at those times almost all of the jabber servers and clients already
> accepted certificates signed by them as 'secure'. Looks like that XMPP

XMPP servers tend to accept anything as "usable" for doing TLS 
encryption. Back in 2007 I had no problems using a revoked certificate 
(for authentication) either.
See http://mail.jabber.org/pipermail/standards/2007-July/016086.html
I recall repeating this this year with similar results.

 > I would like to give a chance to run any XMPP server with
 > certificates signed by their private CA without any message rejection.

DANE and POSH might help.

More information about the Operators mailing list