[Operators] server certs for XMPP and SIP

Peter Saint-Andre stpeter at stpeter.im
Mon Jan 30 02:33:52 UTC 2012

On 1/28/12 5:20 AM, Peter Viskup wrote:
> On 01/27/2012 11:59 PM, Daniel Pocock wrote:
>> It found the DNSName entries but ignored everything else
>> Could you also comment on what I should use for `commonName' when I'm
>> using subjectAltName?  Should commonName just repeat one of the other
>> names?  Should it be the hostname where the cert is installed (e.g.
>> bighost.example.com) or is there some other recommendation, or it just
>> doesn't matter?
> It doesn't matter.
>> [ subject_alternative_name ]
>> DNS.0                             = example1.com
>> otherName.0                       =
>> SRVName;IA5STRING:_xmpp-server.example1.com
> Have a look on this discussion, it could help you:
> http://mail.jabber.org/pipermail/standards/2008-June/018978.html
> I just found this:
> http://tools.ietf.org/html/draft-ietf-xmpp-dna-01
> the TLS feature "Server Name Indication" will solve all the described
> issues with certificate requests.
> How far is that draft in the process of standardization at IETF and is
> there any XMPP server supporting this? OpenSSL version 0.9.8j and higher
> is supporting this and it was released on 7-th of January 2009...

In fact that's already mentioned in RFC 6120:



However, in XMPP we already can provide that information in the 'to'
address of the stream header, so there's no strong reason to mandate
support for SNI in XMPP applications.


Peter Saint-Andre

More information about the Operators mailing list