[Standards] mutual authentication and XEP 178

Peter Saint-Andre stpeter at jabber.org
Tue Jul 17 19:15:31 UTC 2007


Tony Finch wrote:
> Following a discussion on the ejabberd list, I've noticed that XEP 178
> makes no mention of certificates being presented by the target of a
> connection and verified by the source of the connection, as is usual. I
> guess that this is a mistake, since it is omitted for both c2s and s2s
> connections, and client verification of server certificates is normal
> enough that perhaps the document just assumes it will happen. This has led
> to a bug in ejabberd such that it presents the wrong s2s certificate on
> incoming connections to non-primary domains, and doesn't verify the
> target's certificate on outgoing s2s connections, leaving it open to
> spoofing attacks.

It's not 100% clear to me what you're referring to, but I didn't pay
close attention to the ejabberd thread.

If you are referring to certificate validation, that is covered in RFC3920:

http://www.xmpp.org/rfcs/rfc3920.html#tls-overview (see items 7 and 8)

http://www.xmpp.org/rfcs/rfc3920.html#security-validation

See also rfc3920bis:

http://www.xmpp.org/internet-drafts/draft-saintandre-rfc3920bis-03.html#tls-process-neg

http://www.xmpp.org/internet-drafts/draft-saintandre-rfc3920bis-03.html#security-validation

/psa

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7354 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/standards/attachments/20070717/3d6ee0c6/attachment.bin>


More information about the Standards mailing list