On Thu Nov 18 07:38:01 2010, Philipp Hancke wrote:
Badlop wrote:
bear wrote:
We will be setting up a test domain and will be providing a CA,
so
each server would:
- have an issued Certificate(s)
2010/11/10 Philipp Hancke<[email protected]>:
Testing cases where it should not work (like revoked
certificates) is more
interesting than making sure things work. Testing the
verification of
domain-based application service identity would be nice, too.
For that additional testing, the XSF could provide also wrong
certs:
one revoked, another for a dummy domain, etc. And then the server
administrators setup additional vhosts which use those certs.
That requires two modes of operation for the servers:
- oh-yeah-tls-is-so-cool: Basically the normal mode of operation as
currently used on "the public network" where servers ignore revoked
(expired, ...) certs or the mismatch of the certificate for "dummy
domain".
Different servers do, and do not do, CRL checking. M-Link R14.6 does
not, whereas M-Link R15.0 can do (if asked). I don't think servers
trust incorrect or expired certificates ever, do they?
- tls-as-defined-in-the-specs: if a server connects to another
server and does not get a valid and trusted certificate for the
expected peer domain it will disconnect. Additionally, that server
will not allow another server to use dialback, but require XEP 0178
style authentication.
You can even place M-Link in such a mode, but it'll continue to
accept a trusted certificate that's been revoked, but won't allow it
to be used for authentication. In addition, you can require (from
some or all peers) that a trusted, unrevoked, valid certificate is to
be presented prior to authentication.
Do we bother with testing dialback, too?
May as well. If anyone is doing dialback-without-dialback, I'd be
interested.
Dave: if you could generate certificates signed by an intermediate
CA that would be nice to test if servers actually send the whole
chain.
I'm not generating the certificates, but yes, that should be possible.
Dave.
--
Dave Cridland - mailto:[email protected] - xmpp:[email protected]
- acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
- http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
_______________________________________________
JDev mailing list
Forum: http://www.jabberforum.org/forumdisplay.php?f=20
Info: http://mail.jabber.org/mailman/listinfo/jdev
Unsubscribe: [email protected]
_______________________________________________
