-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 11/06/2015 08:24 AM, Kim Alvefur wrote: > On 2015-11-06 11:28, Georg Lukas wrote: >> * Travis Burtrum <[email protected]> [2015-11-05 20:56]: >>> That was a deliberate decision on my part, and does not affect >>> security in the way you mentioned because I explicitly state: >>>> TLS certificates MUST be validated the same way as for >>>> STARTTLS. >>> (ie, as specified in XMPP Core). >> >> So lets assume I want to connect as [email protected] and the >> SRV record is >> >> _xmpp-client._tls.example.com. IN SRV 5 1 443 xmpp.example.com. >> >> My client then makes a TCP connection to xmpp.example.com:443, >> requests xmpp.example.com via SNI, and the server is expected to >> return the certificate for example.com instead, which the client >> verifies? > > That's ... unpleasant. At least Prosody has absolutely no idea > what SRV targets point at it. Suppose you could index all > configured certificates on what names they claim.
Prosody doesn't support SNI for xmpp-over-tls at all currently, if this XEP moves further along I was going to start writing patches for that. With my setup currently, sslh listens on port 443, if the SNI name is xmpp.example.com the connection is sent to prosody, otherwise if it's example.com/not set/something else the connection is sent to nginx. You could also do this with at least haproxy and stunnel today with no code changes to any underlying servers. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQQcBAEBCgAGBQJWPLE3AAoJEOy5uMuqxowDo7Af/2FQZyMOvviNsdXeqT7gpbgX n5lNFfQ4pS+XKtJ9wZQ8DBpOfiBng9M7XImCe5AX9UMfCQ34N+Lsnb2IdG1Aj1cp KRSaWFIH1qWfv8I23up8sQZhG7Xg6PuMyiXt6bpGw2iDsGxeRuzpCKeIxZYH+y2u ErNrix5/ASatbCmzPMb/INxiNxuWD+XIKsZqs8bC5c5Nc4YCnAxPKyH2VZGohq2N jh0hQtzdnbaZqLl+3QyoaRH7iZHxLH9aHq05bUSO+d9CKyFSGA5yyLVY+t+W92EX zVTX130Q4YQ0QqqVaFqU12tkExQZdHy8JltkzmV8NNhb9sOaXY06TYpCAyz3TU1r xzS7vFts4A+U/HAxSDSgUF/g7AHe4GEg5ji4o4DyeIzbcLrmdp1OP5c481tt8S6c PIZjdsXuklH3uhKXflTPk/MaVG/X4MHLflKSj3JMxWPlfxUpcP4LNsB8MZOELHEj fMZqUpkIrmaRYIjMWr6JagRFxWiCp3MGF2vKnTmdZs0IoCYd6lbA+p5SOECbRYB4 KDo3OGmzzqNwGQ4majDfVZjt9tiY4780SiAhGyEDnsxtvs37BMyr6Cw3QbQes67s FuGZU32N4m08FaPimiOvDfA23YqgvII7Dix4qyr/Zg3BPULr/uK07PKbG2P/q7b9 aHiIK/dm5Vjzz8M71duveSOx+K8QySaCeIi8tQw0riaR/GIZcWoAF1VUc151dcpx m1e88pF1minLB1X8KTxU9PiPZv18XxnDUJWSTak8P20LL/Il4ZeR512bO7wVM+Ga Y84GaZoVy/gr0cGlCbj7F1EDAQFOPywR34MRUFeG7xrH4DEwWp6KcwRQbZ0NDpaV g8F5OC4tx9tteA77PzHz1FsqHtpt+CoUuXX6oXw+c/HtjLSVnzVZsGtis//jaZLV gvcEKw78D50SXRDBigy6tZSjr20X0IUOTjY3EVv0vQC9z26MgXxjYy3B/Mtf1Y6F NhqlUpVJbI77Lp6638Yq2cBzSv5Owex+AXBuS6iLYJpbk9FSFM1KgeIJtqhIVNpw C+/cR0fVhIiOsm6wYiGg/phegutVJW+hs9m5SNJVK30tIppKAa56Dx75ikBoVFZW 5PUVv7k0DBg6HmeYff/O0gXEuZVpSDrrhLo3RsU/mtUoW1PaY+dEebFwIEDnUgzs rRom9ROx+pRsr3BEoHYa+Gk85wLZEiqarbd4T0beor5ng9ENFmDP2l+m8CnqXmCf TWizkzpzypVRlA0d6112lAeS4rjKS35YXQulDaXayBQNjTFTTrS8hLiEKSoTXNA1 kvOcAdoNyBkH/J9KkD8ERj0nHr0/Dc/vQDwzBUDSytjDAIEkac35/lNjpNWYEU4= =rs2h -----END PGP SIGNATURE-----
