[Operators] SSL certificates / private CAs / CACert issue

Philipp Hancke fippo at goodadvice.pages.de
Thu Mar 21 06:44:43 UTC 2013

On Thu, 21 Mar 2013, Peter Viskup wrote:
> Dear all,
> let me share the list of XMPP servers which use 'not secure' SSL certs on 
> 5223 port:

openssl has starttls for xmpp so you could try that on port 5222.
It apparently supports s2s now, too. Or there is a patch that makes it 
capable of doing s2s.

> CN is common name of the issuer of that cert. I didn't performed deeper 
> analysis. This is just not complete sight on the issue with the servers not 
> using [CACert,StartSSL]-signed certs.
> I wasn't able to get the certs from all servers and filtered all with issuer 
> of one of these "/CAcert|StartCom|CA Cert|Thawte|RapidSSL/".

You also need to look at other fields, most notably dNSName and attempt to
match it against the target name you wanted to connect to using the rules
from RFC 6125.

> Checked 213 servers (list from jabberes.org or coccinella stats) and got SSL 
> info on port 5223 from 94 servers only (openssl s_client) and 20 of them have 
> installed 'wrong' certs.

> Hope this helped to see the reality a little (as it is not complete :-) ).
> Would be great to have a closer look on the reality with more information.

Well, TLS usage is a mess. Welcome to nobody cares.

I really wonder where i have the script i used five years ago...

More information about the Operators mailing list