- When do you offer SASL EXTERNAL on an incoming connection? I
implemented, that the s2s connection manager always checks the peers
certificate as soon as a TLS layer is established. Only if the
certificate could be validated (not expired, if the incoming stream
had a from attribute if this matches the certificate, signed by a
trusted CA, ...) I offer the peer to use SASL EXTERNAL. In all other
cases I know that SASL EXTERNAL would fail anyway so I do not have to
offer it. Better for the peer to try dialback.
I got asked (on Jabber) how I do this verification and how I know which
domain the server wants to authenticate later on.
If the connecting server sent a from attribute in the stream root, I am
checking against this. If there was no from attribute (the other server
does not have to send this attribute), I just check if the certificate
is not expired and I can validate the certification chain up to a
trusted root CA certificate.
- Re: [jdev] SASL EXTERNAL for s2s in jabberd14 Matthias Wimmer
-
