[Standards] Checking hostname in XMPP server when using TLS

zhong ming wu mr.z.m.wu at gmail.com
Tue Nov 2 22:11:18 UTC 2010


My question is related to TLS implementation of xmpp client functionality

As u know a xmpp domain may have more than 1 server handling c2s
connections.  Perhaps that is the original reason why when a client
connects to server via TLS it check to see if ssl cert is issued in
domain name not server name; that way a domain can use 1 SSL
certificate in all servers.

In the opposite case of one server handling multiple virtual domains
this is undesirable since otherwise one cert suffices

Moreover assuming DNS is safe (big assumption in the past & some will
say now) should client not do DNS look up and then use server cert to
verify authenticity of it

Just curious in general about how xmpp client authors decide to check
domain name with the SSL certificate

I have tested aidium, ichat (mac), psi, empathy (ubuntu linux) ichat
(mac) beem (android) in addition to pidgin on windows and linux

TLS implementation of HTTP/SMTP/IMAP/POP do not work like XMPP in this regard



More information about the Standards mailing list