[Standards] Checking hostname in XMPP server when using TLS

Philipp Hancke fippo at goodadvice.pages.de
Wed Nov 3 13:29:42 UTC 2010


Hi Simon,

> SMTP is unusual in that there's no expectation that the connection will be
> secured at all, for historical reasons. The mechanism you describe is wrong
> from a maximum-security point of view, but SMTP is normally not even
> encrypted, so it's (slightly) better than nothing...
>
> If email was invented now, and had mandatory TLS, MTAs would refuse to deliver
> mail for (say) simon.mcvittie at collabora.co.uk unless the destination
> mailserver could present a certificate indicating that it is, or is
> authorized to act on behalf of, collabora.co.uk. Getting there
> from here is basically impossible for email due to the number of existing
> deployments it'd break, but at least we can avoid this design flaw for XMPP...

The collabora.co.uk server shows the following certificate on s2s:
-----BEGIN CERTIFICATE-----
MIIDLjCCApegAwIBAgIJAMxol6xSjeN7MA0GCSqGSIb3DQEBBQUAMG4xGDAWBgNV
BAoTD2NvbGxhYm9yYS5jby51azERMA8GA1UECxMIamFsZnJlemkxETAPBgNVBAMT
CGVqYWJiZXJkMSwwKgYJKoZIhvcNAQkBFh1yb290QGphbGZyZXppLmNvbGxhYm9y
YS5jby51azAeFw0wODA4MjUxNzE5NTVaFw0wOTA4MjUxNzE5NTVaMG4xGDAWBgNV
BAoTD2NvbGxhYm9yYS5jby51azERMA8GA1UECxMIamFsZnJlemkxETAPBgNVBAMT
CGVqYWJiZXJkMSwwKgYJKoZIhvcNAQkBFh1yb290QGphbGZyZXppLmNvbGxhYm9y
YS5jby51azCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArR5yOxqYjylhYZvt
sVvbpBPHmMQzMnble0ROj+TIOTYFLIEvrlKI503/YXYideLh13YJpn8ltV1F2QfD
IBgKzg0fD9MjmvVUtQbRn8S9D16RtBzjKoXm3VA2WMQbqY+1T2NWtlyJRCtvMeTe
y0acp7nlngU2vlwNO4cEYjaRgmsCAwEAAaOB0zCB0DAdBgNVHQ4EFgQUJ43ol5P6
CuQG9OGphZ7KMC+aI1IwgaAGA1UdIwSBmDCBlYAUJ43ol5P6CuQG9OGphZ7KMC+a
I1KhcqRwMG4xGDAWBgNVBAoTD2NvbGxhYm9yYS5jby51azERMA8GA1UECxMIamFs
ZnJlemkxETAPBgNVBAMTCGVqYWJiZXJkMSwwKgYJKoZIhvcNAQkBFh1yb290QGph
bGZyZXppLmNvbGxhYm9yYS5jby51a4IJAMxol6xSjeN7MAwGA1UdEwQFMAMBAf8w
DQYJKoZIhvcNAQEFBQADgYEAk+JiY9IM6du+VdXnEHGISghij0DBuL8uXRIqqv0C
8iyKqDo3pQb/cRiQ74uggeqn0B/JohGymBqaDBoHFPOcDdRE1vZOsxC22CsHs8d1
Mz/lETrUOD/FizLqZvIWdpsuP4WHfukEa60vtIrMjnU1LIAVwGM4i0q3xYjxJ4uu
xTA=
-----END CERTIFICATE-----

The certificate is self-signed, has expired in 2009, there is no 
indication that the server is authorized to act on behalf of 
collabora.co.uk.
Do you know of any servers that refuse to deliver stanzas to your domain?

*scnr

philipp



More information about the Standards mailing list