[Operators] Obtaining XMPP-enabled certificate for server
simon at josefsson.org
Tue Jul 19 09:53:35 UTC 2016
Martin Vietz <lists_jabber_org at martin.vietz.eu> writes:
> Hi Tomasz,
> On 10.07.2016 23:30, Tomasz Sterna wrote:
>> I am already using letsencrypt for https, but I wasn't sure it would
>> work with XMPP.
> You can also secure all other services using ssl/tls with x509, e.g.
> SMTP, IMAP, FTP over SSL, Mumble
Let's Encrypt does not to my knowledge support the XMPP SRV-ID
SubjectAltName attribute. So you cannot use it for all kind of
TLS-enabled XMPP setups.
On this topic, it seems that several XMPP clients does not handle the
SAN properly either. I did some experiment with my own custom XMPP CA
that refer to two domains "sjd.se" and "josefsson.org" earlier:
Several XMPP clients I have tested does not deal well with this. Some
clients resolved the issue, like the Android XMPP client Conversations:
I wonder if people really care about this usage any more -- it does not
scale well (all domains have to be encoded in the same cert => big
certs) and introduces an indirection which often leaves room for
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 472 bytes
Desc: not available
More information about the Operators