[Standards] mutual authentication and XEP 178
stpeter at jabber.org
Tue Jul 17 19:15:31 UTC 2007
Tony Finch wrote:
> Following a discussion on the ejabberd list, I've noticed that XEP 178
> makes no mention of certificates being presented by the target of a
> connection and verified by the source of the connection, as is usual. I
> guess that this is a mistake, since it is omitted for both c2s and s2s
> connections, and client verification of server certificates is normal
> enough that perhaps the document just assumes it will happen. This has led
> to a bug in ejabberd such that it presents the wrong s2s certificate on
> incoming connections to non-primary domains, and doesn't verify the
> target's certificate on outgoing s2s connections, leaving it open to
> spoofing attacks.
It's not 100% clear to me what you're referring to, but I didn't pay
close attention to the ejabberd thread.
If you are referring to certificate validation, that is covered in RFC3920:
http://www.xmpp.org/rfcs/rfc3920.html#tls-overview (see items 7 and 8)
See also rfc3920bis:
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 7354 bytes
Desc: S/MIME Cryptographic Signature
More information about the Standards