-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 7/12/13 2:21 PM, Kevin Smith wrote: > On Fri, Jul 12, 2013 at 9:16 PM, Peter Saint-Andre > <[email protected]> wrote: >> In general, XMPP server implementations don't perform proper (RFC >> 6125 / RFC 6120) certificate checking and don't have an option to >> refuse connections from domains that lack proper certificates. > > I thought we found in our S2S TLS interop tests a couple of years > ago that servers generally /did/ have the options for doing secure > S2S (with one or two exceptions), it's just that they don't get > enabled in typical deployments. > > There is certainly a problem here, but it doesn't seem to me it's > that code hasn't been written.
In the main I think you're right, although I'm not positive that all servers perform all of the checks mentioned in RFC 6120: http://xmpp.org/rfcs/rfc6120.html#security-certificates-validation But the real problems seem to be in deployments, not implementations. Peter - -- Peter Saint-Andre https://stpeter.im/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJR4G6oAAoJEOoGpJErxa2pAYcP/RBar4J3KKZvQZQV+B5M5Klc 8eyGwM8Hm181Iv7KHXGP/tGgmhIoD0LpHYwMGg2uNm+iBG4rVhSowyMHKN54yX5e Sd9kkFjHJz7tAMuqSEAVC0na79c9pnRIEgujg2Gx+OZUJvaEvVzKYoleZKeV91jH /v/nQrr/+3SCMLbQZI1+Rflup41gr70elJ5+0qEwm7T22IOvjX3Mqe2bPHkJTEzQ D3sf2fF22dtRAlu7DH8S/kJFefKvAPqjHIZMagecqG1BqLhQnn2h2TXZsjVLdJ0E q7AnIntL3X4y8+gFQHAgE2gtplR3oKftD6gZERvhJnBXRXEx4V3PqJUAN2e83naV 6XGuYgvkPZyQ2WFMzrtVdy2EwKJdoG+ces0Elad16RAZ7qBA0HsEAsTuzmin6JO0 bMoFxqizYTfnoMw11yTUE1aoCq8NIb+xHCZpbuV6IxnqiP6+I9DkOE5jsu+sprVx nOJKcuJV8NIgRhlnlprNaRG66J7Jb5hJoSWP1KJgL+fQL1IYcyvGBq4HX78bha+d S14GlGXJaSoob5D21RFnWHU+ZM0JC6GqSusKNcTIcVJZusaWXridheuR80GXDs5k ujMgjs2MHAC766+pTrftqyU5syAt+3LN3kOzlXwIpd2HEmfmkWGlT901MLSdS7Q8 M6J6S72Z4GvAs/otgm3J =fzWb -----END PGP SIGNATURE----- _______________________________________________ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [email protected] _______________________________________________
