[Operators] Obtaining XMPP-enabled certificate for server

Simon Josefsson simon at josefsson.org
Tue Jul 19 09:53:35 UTC 2016


Martin Vietz <lists_jabber_org at martin.vietz.eu> writes:

> Hi Tomasz,
>
> On 10.07.2016 23:30, Tomasz Sterna wrote:
>> I am already using letsencrypt for https, but I wasn't sure it would
>> work with XMPP.
>
> You can also secure all other services using ssl/tls with x509, e.g.
> SMTP, IMAP, FTP over SSL, Mumble

Let's Encrypt does not to my knowledge support the XMPP SRV-ID
SubjectAltName attribute.  So you cannot use it for all kind of
TLS-enabled XMPP setups.

On this topic, it seems that several XMPP clients does not handle the
SAN properly either.  I did some experiment with my own custom XMPP CA
that refer to two domains "sjd.se" and "josefsson.org" earlier:

https://blog.josefsson.org/2015/05/12/certificates-for-xmpp-jabber/

Several XMPP clients I have tested does not deal well with this.  Some
clients resolved the issue, like the Android XMPP client Conversations:

https://github.com/siacs/Conversations/issues/1189

I wonder if people really care about this usage any more -- it does not
scale well (all domains have to be encoded in the same cert => big
certs) and introduces an indirection which often leaves room for
attackers.

/Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 472 bytes
Desc: not available
URL: <http://mail.jabber.org/pipermail/operators/attachments/20160719/1d578a7a/attachment.sig>


More information about the Operators mailing list