[Operators] Obtaining XMPP-enabled certificate for server
Simon Josefsson
simon at josefsson.org
Tue Jul 19 09:53:35 UTC 2016
Martin Vietz <lists_jabber_org at martin.vietz.eu> writes:
> Hi Tomasz,
>
> On 10.07.2016 23:30, Tomasz Sterna wrote:
>> I am already using letsencrypt for https, but I wasn't sure it would
>> work with XMPP.
>
> You can also secure all other services using ssl/tls with x509, e.g.
> SMTP, IMAP, FTP over SSL, Mumble
Let's Encrypt does not to my knowledge support the XMPP SRV-ID
SubjectAltName attribute. So you cannot use it for all kind of
TLS-enabled XMPP setups.
On this topic, it seems that several XMPP clients does not handle the
SAN properly either. I did some experiment with my own custom XMPP CA
that refer to two domains "sjd.se" and "josefsson.org" earlier:
https://blog.josefsson.org/2015/05/12/certificates-for-xmpp-jabber/
Several XMPP clients I have tested does not deal well with this. Some
clients resolved the issue, like the Android XMPP client Conversations:
https://github.com/siacs/Conversations/issues/1189
I wonder if people really care about this usage any more -- it does not
scale well (all domains have to be encoded in the same cert => big
certs) and introduces an indirection which often leaves room for
attackers.
/Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 472 bytes
Desc: not available
URL: <http://mail.jabber.org/pipermail/operators/attachments/20160719/1d578a7a/attachment.sig>
More information about the Operators
mailing list