[Operators] XMPP and TLS

Andreas Tauscher ta at geuka.net
Mon May 19 08:35:39 UTC 2014


Maybe somebody can enlighten me.

RFC 3920 says in section 5.1.8:
[---- SNIP ----]
Certificates MUST be checked against the hostname as provided by
the initiating entity (e.g., a user), not the hostname as
resolved via the Domain Name System; e.g., if the user specifies
a hostname of "example.com" but a DNS SRV [SRV] lookup returned
"im.example.com", the certificate MUST be checked as
"example.com".  If a JID for any kind of XMPP entity (e.g.,
client or server) is represented in a certificate, it MUST be
represented as a UTF8String within an otherName entity inside the
subjectAltName, using the [ASN.1] Object Identifier
"id-on-xmppAddr" specified in Section 5.1.1 of this document.
[---- SNAP ----]

As I read this if I have a domain foo.bar an the SRV record points to 
im.example.com c2s and s2s has to verify the certificate against foo.bar 
instead im.example.com.

I can't find out why XMPP should not handle it like SMTP. In case of s2s 
the certificate is verified against the canonical name in the MX record 
(for XMPP the _xmpp-server._tcp record is like the MX record for SMTP) 
and the XMPP _xmpp-client._tcp record I see like autoconfig/autodiscover 
for mail.

XMPP I have to create and install a certificate for every domain.
Making it IMHO only complicated and contra productive for enforcing a 
full encrypted XMPP network.
On a mail server I can host thousands of domains with one certificate. 
Why do I have to deal in XMPP in this case with thousands of 

For now I can't see any reason for this. Or have I overseen something 
enabling me to host several domains with one certificate?


More information about the Operators mailing list