[Operators] XMPP and TLS

Kim Alvefur zash at zash.se
Mon May 19 09:08:54 UTC 2014


On 2014-05-19T10:35:39 CEST, Andreas Tauscher wrote:
> As I read this if I have a domain foo.bar an the SRV record points to
> im.example.com c2s and s2s has to verify the certificate against
> foo.bar instead im.example.com.

If the name you are claiming is 'foo.bar', why would I check that you
present a certificate with a completely different name?  Unless you have
DNSSEC, someone could inject a fake SRV (or MX in case of SMTP) record
pointing to a domain they own and that they can present a valid
certificate for.  What then?

If you do have DNSSEC, then it's fine to check the certificate against
the delegated name, deployed support for that is probably fairly small.

> I can't find out why XMPP should not handle it like SMTP.

Because it's not handled in SMTP.

> Why do I have to deal in XMPP in this case with thousands of
> certificates?

Like others said, known issue that is being worked on.  For now, very
few actually enforce valid certificates and instead falls back to
dialback for verification.

Kim "Zash" Alvefur

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://mail.jabber.org/pipermail/operators/attachments/20140519/fb02b713/attachment.sig>

More information about the Operators mailing list