[Operators] Obtaining XMPP-enabled certificate for server

Dave Cridland dave at cridland.net
Tue Jul 19 18:25:11 UTC 2016

On 19 July 2016 at 17:36, Marvin Gülker <m-guelker at phoenixmail.de> wrote:

> Am Tue, 19 Jul 2016 16:15:40 +0200
> schrieb Florian Schmaus <flo at geekplace.eu>:
> > Isn't one problem that a cert with CN "example.org" will be valid for
> > all services found on example.org (simply speaking), whereas when
> > using SRV-ID restricts the cert to a particular service?
> I have always wondered about which domains should actually be included
> into a TLS certificate for use in XMPP services once an SRV record is
> in place. Do I need a certificate which covers xmpp.example.com? Or
> does one for example.com suffice, given that that's what is actually
> part of the JIDs? Or do I even need one that covers
> _xmpp-server._tcp.example.com and _xmpp-client._tcp.example.com? A
> combination of these three?
> If any more than one of these is required, this rules out simple certs
> only covering a CN, at least one SAN is required.
> Ideas, anyone? Is there a documentation of the actual practise?
Yes, in RFC 5280, RFC 6125, and RFC 6120. But they're relatively tough
reading (especially 5280).

Loosely, what goes in, must come out:

The thing initiating the session has a service it wants, and a name it
wants to get the service for. In our case, the service is always XMPP, but
could be either xmpp-client or xmpp-server. The name is always the XMPP
domain. So these are what goes in.

What comes out of the certificate, therefore, has to be the service (if we
care) and the XMPP domain. The "CN" - actually the Common Name RDN of the
Subject Distinguished Name - is the old-fashioned way of doing this (and
boy is it old-fashioned - this dates from the early '90's and has somehow
clung on). Certificates also have one or more Subject Alternate Names,
which can be (and often are) DNSNames, which are "just the domain".

If we care about the service, then we want that to be present too - a
sRVName type SAN can contain these (perhaps _xmpp-server.example.com - note
the _tcp is missing), or an XMPPAddress SAN, or even a URI SAN. We usually
don't, though, and these certificates have become very hard to obtain

Things we get from DNS during the connection - stuff like the hostname, and
IP address - can be used, but only if they've been secured by DNSSEC. If
DNSSEC is in play, then DANE can also come in - but DNSSEC only accounts
for a small percentage of XMPP servers. In any case, it's the same - what
goes in (via the crypto) must come out.

So in the example you give, just "example.com" is fine.

For a remarkably silly description of this, there's also


> Greetings
> Marvin
> --
> Blog: http://www.guelkerdev.de
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/operators/attachments/20160719/9a8cdcc6/attachment-0001.html>

More information about the Operators mailing list