On 2013-11-04 03:01, Peter Kieser wrote: > Shouldn't the SSL certificate CN match the hostname listed in the "IN > SRV" record, since that's the hostname a S2S connection will open to.
No! The domain should match a subjectAltName. Ignore hostnames, ignore commonNames. Exceptions are either fallbacks that you should not strive for, or DNA / DNSSEC / DANE related things that are not widely implemented or deployed. See also: https://plus.google.com/+DaveCridland/posts/fAdAUa62rse http://prosody.im/doc/certificates#which_domain -- Regards, Kim "Zash" Alvefur PS: This misconception, where does it come from? DS;
signature.asc
Description: OpenPGP digital signature
