Peter Saint-Andre wrote:
Shumon Huque wrote:
[...]
2. Look for expected server identity (either JID domain or explicitly configured server hostname) in:a. subjectAltName otherName field of type id-on-xmppAddrBut I think we deprecate this for servers, so at least it should go after your (b).
This sounds reasonable.
If you want to retain compatibility with other protocols like HTTP and SMTP, you should keep it.b. subjectAltName dNSName field c. subject DN's Common Name fieldDo we really want to check the CN? It's been deprecated for years.
As a side note, CN is the easiest thing to set with openssl tools.
