Following a discussion on the ejabberd list, I've noticed that XEP 178 makes no mention of certificates being presented by the target of a connection and verified by the source of the connection, as is usual. I guess that this is a mistake, since it is omitted for both c2s and s2s connections, and client verification of server certificates is normal enough that perhaps the document just assumes it will happen. This has led to a bug in ejabberd such that it presents the wrong s2s certificate on incoming connections to non-primary domains, and doesn't verify the target's certificate on outgoing s2s connections, leaving it open to spoofing attacks.
Tony. -- f.a.n.finch <[EMAIL PROTECTED]> http://dotat.at/ IRISH SEA: SOUTHERLY, BACKING NORTHEASTERLY FOR A TIME, 3 OR 4. SLIGHT OR MODERATE. SHOWERS. MODERATE OR GOOD, OCCASIONALLY POOR.
