[Operators] Obtaining XMPP-enabled certificate for server

Florian Schmaus flo at geekplace.eu
Wed Jul 20 07:58:18 UTC 2016


On 19.07.2016 18:36, Marvin Gülker wrote:
> Am Tue, 19 Jul 2016 16:15:40 +0200
> schrieb Florian Schmaus <flo at geekplace.eu>:
>> Isn't one problem that a cert with CN "example.org" will be valid for
>> all services found on example.org (simply speaking), whereas when
>> using SRV-ID restricts the cert to a particular service?
> 
> I have always wondered about which domains should actually be included
> into a TLS certificate for use in XMPP services once an SRV record is
> in place.


> Do I need a certificate which covers xmpp.example.com?

No, never. The certificate needs only to "prove| that it's valid for the
desired service. Doing verification on the name of the host providing
the server actually imposes a security risk. If no DNSSEC is used, then
an attacker could manipulate the SRV RRs so that
_xmpp-client._tcp.example.com points to xmpp.attacker.org and present a
"valid" certificate for xmpp.attacker.org.

> If any more than one of these is required, this rules out simple certs
> only covering a CN, at least one SAN is required.
> 
> Ideas, anyone? Is there a documentation of the actual practise?

There is a huge gap between what is specified, for example in the
various RFCs Dave mentioned, and implemented. You will find many
implementations simply considering only the CN (or not performing any
name verification at all).

But I feel like the situation is improving. Simon mentioned the
'Conversations' Android App as example.

For the near future, I hope that certificates using only srvNames will
become more common. But if you want to stay super "compatible" with all
sorts of XMPP software out there, then you probably want to put your
XMPP domain in the CN too. Which comes with the drawback that the cert
can be used for all services under that domain.

- Florian

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 603 bytes
Desc: OpenPGP digital signature
URL: <http://mail.jabber.org/pipermail/operators/attachments/20160720/ad96ad74/attachment.sig>


More information about the Operators mailing list