On 2013-11-03 at 18:01 -0800, Peter Kieser wrote: > Shouldn't the SSL certificate CN match the hostname listed in the "IN > SRV" record, since that's the hostname a S2S connection will open to.
Not unless the peer server's operator is publishing DNSSEC records for the domain and the connection initiating server is using a trusted validating resolver (or validating itself) and checking that the data from DNS is actually secure. Otherwise, the name you're validating is insecure, as an attack on DNS would change the hostname in the SRV record to xmpp.evil.tld and the evil.tld operators could have a legitimate, trusted CA, certificate for their own hostname. _If_ you have DNSSEC setup, to the point where you can use DANE, then yes under the DANE rules you'd use the hostname from the SRV record, to better support service hosting. Hrm, think I only support the DANE approach, which could be an issue, and not seeing how to decode the xmppAddr entries in the SAN field of the cert, and failed to keep notes of how I generated it. Fail. :( -Phil
