[Standards] mutual authentication and XEP 178

Tony Finch dot at dotat.at
Tue Jul 17 19:03:51 UTC 2007


Following a discussion on the ejabberd list, I've noticed that XEP 178
makes no mention of certificates being presented by the target of a
connection and verified by the source of the connection, as is usual. I
guess that this is a mistake, since it is omitted for both c2s and s2s
connections, and client verification of server certificates is normal
enough that perhaps the document just assumes it will happen. This has led
to a bug in ejabberd such that it presents the wrong s2s certificate on
incoming connections to non-primary domains, and doesn't verify the
target's certificate on outgoing s2s connections, leaving it open to
spoofing attacks.

Tony.
-- 
f.a.n.finch  <dot at dotat.at>  http://dotat.at/
IRISH SEA: SOUTHERLY, BACKING NORTHEASTERLY FOR A TIME, 3 OR 4. SLIGHT OR
MODERATE. SHOWERS. MODERATE OR GOOD, OCCASIONALLY POOR.



More information about the Standards mailing list