[Operators] No, not the hostname in CN. - Re: IM Observatory @ xmpp.net

Kim Alvefur zash at zash.se
Mon Nov 4 13:09:19 UTC 2013


On 2013-11-04 03:01, Peter Kieser wrote:
> Shouldn't the SSL certificate CN match the hostname listed in the "IN
> SRV" record, since that's the hostname a S2S connection will open to.

No!  The domain should match a subjectAltName.  Ignore hostnames, ignore
commonNames.

Exceptions are either fallbacks that you should not strive for, or DNA /
DNSSEC / DANE related things that are not widely implemented or deployed.

See also:

https://plus.google.com/+DaveCridland/posts/fAdAUa62rse

http://prosody.im/doc/certificates#which_domain

--
Regards,
Kim "Zash" Alvefur

PS:
This misconception, where does it come from?
DS;

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://mail.jabber.org/pipermail/operators/attachments/20131104/13f01785/attachment.pgp>


More information about the Operators mailing list