On Mon, Nov 4, 2013 at 1:09 PM, Kim Alvefur <[email protected]> wrote: > On 2013-11-04 03:01, Peter Kieser wrote: > > Shouldn't the SSL certificate CN match the hostname listed in the "IN > > SRV" record, since that's the hostname a S2S connection will open to. > > No! The domain should match a subjectAltName. Ignore hostnames, ignore > commonNames. > > Exceptions are either fallbacks that you should not strive for, or DNA / > DNSSEC / DANE related things that are not widely implemented or deployed. > > See also: > > https://plus.google.com/+DaveCridland/posts/fAdAUa62rse > > http://prosody.im/doc/certificates#which_domain
Loosely, only check a trustworthy certificate for a trustworthy identity. So if a certificate is not trustworthy, then ignore any assertions of identity. And the only identity you can consider trustworthy is the one you're starting out with; or one you can securely traverse to - this latter being the realms of DANE and POSH and so on. Dave.
