Hi Justin!
Justin Karneges schrieb:
Why would a connecting server present a certificate, and then invoke SASL
EXTERNAL with an authzid that doesn't match what is written in the
certificate? Sounds to me like a configuration problem in the connecting
server that you probably shouldn't encourage.
Because it is maybe connecting for service.example.com but only has a
certificate for example.com. Sure this might be considered as
misconfiguration - and sure as well, that it would be better to have a
certificate for each domain. But I think it's better to use a wrong
certificate for a connection, than to use no TLS layer at all.
Sure, one could use the DH anon ciphers for these cases. But I don't
know many admins, that I expect, that they will generate DH keys as well.
But wrong certificates might even be prefered over the DH anon ciphers,
as at least a human person can decide if the connection has been made to
the right server and not to a man in the middle. (E.g. because the
certificate subject is logged to a file.)
Matthias
