Martin Vietz <lists_jabber_...@martin.vietz.eu> writes: > Hi Tomasz, > > On 10.07.2016 23:30, Tomasz Sterna wrote: >> I am already using letsencrypt for https, but I wasn't sure it would >> work with XMPP. > > You can also secure all other services using ssl/tls with x509, e.g. > SMTP, IMAP, FTP over SSL, Mumble
Let's Encrypt does not to my knowledge support the XMPP SRV-ID SubjectAltName attribute. So you cannot use it for all kind of TLS-enabled XMPP setups. On this topic, it seems that several XMPP clients does not handle the SAN properly either. I did some experiment with my own custom XMPP CA that refer to two domains "sjd.se" and "josefsson.org" earlier: https://blog.josefsson.org/2015/05/12/certificates-for-xmpp-jabber/ Several XMPP clients I have tested does not deal well with this. Some clients resolved the issue, like the Android XMPP client Conversations: https://github.com/siacs/Conversations/issues/1189 I wonder if people really care about this usage any more -- it does not scale well (all domains have to be encoded in the same cert => big certs) and introduces an indirection which often leaves room for attackers. /Simon
signature.asc
Description: PGP signature