On Thu, 21 Mar 2013, Peter Viskup wrote:
Dear all,
let me share the list of XMPP servers which use 'not secure' SSL certs on
5223 port:
openssl has starttls for xmpp so you could try that on port 5222.
It apparently supports s2s now, too. Or there is a patch that makes it
capable of doing s2s.
CN is common name of the issuer of that cert. I didn't performed deeper
analysis. This is just not complete sight on the issue with the servers not
using [CACert,StartSSL]-signed certs.
I wasn't able to get the certs from all servers and filtered all with issuer
of one of these "/CAcert|StartCom|CA Cert|Thawte|RapidSSL/".
You also need to look at other fields, most notably dNSName and attempt to
match it against the target name you wanted to connect to using the rules
from RFC 6125.
Checked 213 servers (list from jabberes.org or coccinella stats) and got SSL
info on port 5223 from 94 servers only (openssl s_client) and 20 of them have
installed 'wrong' certs.
Hope this helped to see the reality a little (as it is not complete :-) ).
Would be great to have a closer look on the reality with more information.
Well, TLS usage is a mess. Welcome to nobody cares.
I really wonder where i have the script i used five years ago...
