[Operators] server certs for XMPP and SIP

Peter Saint-Andre stpeter at stpeter.im
Mon Jan 30 02:33:52 UTC 2012


On 1/28/12 5:20 AM, Peter Viskup wrote:
> On 01/27/2012 11:59 PM, Daniel Pocock wrote:
>> It found the DNSName entries but ignored everything else
>>
>> Could you also comment on what I should use for `commonName' when I'm
>> using subjectAltName?  Should commonName just repeat one of the other
>> names?  Should it be the hostname where the cert is installed (e.g.
>> bighost.example.com) or is there some other recommendation, or it just
>> doesn't matter?
> It doesn't matter.
>> [ subject_alternative_name ]
>>
>> DNS.0                             = example1.com
>> otherName.0                       =
>> SRVName;IA5STRING:_xmpp-server.example1.com
> Have a look on this discussion, it could help you:
> http://mail.jabber.org/pipermail/standards/2008-June/018978.html
> 
> I just found this:
> http://tools.ietf.org/html/draft-ietf-xmpp-dna-01
> the TLS feature "Server Name Indication" will solve all the described
> issues with certificate requests.
> How far is that draft in the process of standardization at IETF and is
> there any XMPP server supporting this? OpenSSL version 0.9.8j and higher
> is supporting this and it was released on 7-th of January 2009...

In fact that's already mentioned in RFC 6120:

http://xmpp.org/rfcs/rfc6120.html#streams-attr-to

http://xmpp.org/rfcs/rfc6120.html#tls-process-neg-rules

However, in XMPP we already can provide that information in the 'to'
address of the stream header, so there's no strong reason to mandate
support for SNI in XMPP applications.

Peter

-- 
Peter Saint-Andre
https://stpeter.im/




More information about the Operators mailing list