[Operators] IM Observatory @ xmpp.net

Phil Pennock xmpp-operators+phil at spodhuis.org
Mon Nov 4 05:04:54 UTC 2013


On 2013-11-03 at 18:01 -0800, Peter Kieser wrote:
> Shouldn't the SSL certificate CN match the hostname listed in the "IN 
> SRV" record, since that's the hostname a S2S connection will open to.

Not unless the peer server's operator is publishing DNSSEC records for
the domain and the connection initiating server is using a trusted
validating resolver (or validating itself) and checking that the data
from DNS is actually secure.

Otherwise, the name you're validating is insecure, as an attack on DNS
would change the hostname in the SRV record to xmpp.evil.tld and the
evil.tld operators could have a legitimate, trusted CA, certificate for
their own hostname.

_If_ you have DNSSEC setup, to the point where you can use DANE, then
yes under the DANE rules you'd use the hostname from the SRV record, to
better support service hosting.

Hrm, think I only support the DANE approach, which could be an issue,
and not seeing how to decode the xmppAddr entries in the SAN field of
the cert, and failed to keep notes of how I generated it.  Fail.  :(

-Phil


More information about the Operators mailing list