Tony Finch wrote: > Following a discussion on the ejabberd list, I've noticed that XEP 178 > makes no mention of certificates being presented by the target of a > connection and verified by the source of the connection, as is usual. I > guess that this is a mistake, since it is omitted for both c2s and s2s > connections, and client verification of server certificates is normal > enough that perhaps the document just assumes it will happen. This has led > to a bug in ejabberd such that it presents the wrong s2s certificate on > incoming connections to non-primary domains, and doesn't verify the > target's certificate on outgoing s2s connections, leaving it open to > spoofing attacks.
It's not 100% clear to me what you're referring to, but I didn't pay close attention to the ejabberd thread. If you are referring to certificate validation, that is covered in RFC3920: http://www.xmpp.org/rfcs/rfc3920.html#tls-overview (see items 7 and 8) http://www.xmpp.org/rfcs/rfc3920.html#security-validation See also rfc3920bis: http://www.xmpp.org/internet-drafts/draft-saintandre-rfc3920bis-03.html#tls-process-neg http://www.xmpp.org/internet-drafts/draft-saintandre-rfc3920bis-03.html#security-validation /psa
smime.p7s
Description: S/MIME Cryptographic Signature
