Badlop wrote:
bear wrote:
We will be setting up a test domain and will be providing a CA, so
each server would:
- have an issued Certificate(s)
2010/11/10 Philipp Hancke<fi...@goodadvice.pages.de>:
Testing cases where it should not work (like revoked certificates) is more
interesting than making sure things work. Testing the verification of
domain-based application service identity would be nice, too.
For that additional testing, the XSF could provide also wrong certs:
one revoked, another for a dummy domain, etc. And then the server
administrators setup additional vhosts which use those certs.
That requires two modes of operation for the servers:
- oh-yeah-tls-is-so-cool: Basically the normal mode of operation as
currently used on "the public network" where servers ignore revoked
(expired, ...) certs or the mismatch of the certificate for "dummy domain".
- tls-as-defined-in-the-specs: if a server connects to another server
and does not get a valid and trusted certificate for the expected peer
domain it will disconnect. Additionally, that server will not allow
another server to use dialback, but require XEP 0178 style authentication.
Do we bother with testing dialback, too?
Dave: if you could generate certificates signed by an intermediate CA
that would be nice to test if servers actually send the whole chain.
cheers
philipp
_______________________________________________
JDev mailing list
Forum: http://www.jabberforum.org/forumdisplay.php?f=20
Info: http://mail.jabber.org/mailman/listinfo/jdev
Unsubscribe: jdev-unsubscr...@jabber.org
_______________________________________________
