Peter Saint-Andre wrote: [...]
As a result, it is possible that admins might feel the need to request multiple Class 1 certs in order to deploy an XMPP service (if they are not able to obtain a Class 2 certificate). For example, at the jabber.org service we might use one Class 1 certificate for the domain name "jabber.org" and another Class 1 certificate for the domain name "conference.jabber.org". This would require our XMPP server software to present the "jabber.org" certificate when a peer server attempts to open an s2s connection to the jabber.org domain, whereas it would present the "conference.jabber.org" certificate when someone from a peer server attempts to join a chatroom at the conference.jabber.org MUC service. I do not know of any XMPP server software that can present two (or more) different certs for s2s connections depending on the domain name specified by the peer server.
This is how Matthias implemented s2s TLS in jabberd.
How would current servers handle this? Do we really need to worry about
Nobody cares about the content of s2s certificates when connecting to a remote domain. Therefore nobody bothers to present the right certificate. philipp _______________________________________________ JDev mailing list Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: jdev-unsubscr...@jabber.org _______________________________________________