[Operators] No, not the hostname in CN. - Re: IM Observatory @ xmpp.net

Kim Alvefur zash at zash.se
Mon Nov 4 13:09:19 UTC 2013

On 2013-11-04 03:01, Peter Kieser wrote:
> Shouldn't the SSL certificate CN match the hostname listed in the "IN
> SRV" record, since that's the hostname a S2S connection will open to.

No!  The domain should match a subjectAltName.  Ignore hostnames, ignore

Exceptions are either fallbacks that you should not strive for, or DNA /
DNSSEC / DANE related things that are not widely implemented or deployed.

See also:



Kim "Zash" Alvefur

This misconception, where does it come from?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://mail.jabber.org/pipermail/operators/attachments/20131104/13f01785/attachment.pgp>

More information about the Operators mailing list