On 2015-11-06 11:28, Georg Lukas wrote: > * Travis Burtrum <[email protected]> [2015-11-05 20:56]: >> That was a deliberate decision on my part, and does not affect >> security in the way you mentioned because I explicitly state: >>> TLS certificates MUST be validated the same way as for STARTTLS. >> (ie, as specified in XMPP Core). > > So lets assume I want to connect as [email protected] and the SRV > record is > > _xmpp-client._tls.example.com. IN SRV 5 1 443 xmpp.example.com. > > My client then makes a TCP connection to xmpp.example.com:443, requests > xmpp.example.com via SNI, and the server is expected to return the > certificate for example.com instead, which the client verifies?
That's ... unpleasant. At least Prosody has absolutely no idea what SRV targets point at it. Suppose you could index all configured certificates on what names they claim. RFC 7673 has some guidance on this, tho mostly in context of DNSSEC. > The service domain name is still the preferred name for TLS SNI or its > equivalent (this reduces code complexity and the possibility of > interoperability problems). https://tools.ietf.org/html/rfc7673#section-4.1 -- Kim "Zash" Alvefur
signature.asc
Description: OpenPGP digital signature
