On 19 July 2016 at 17:36, Marvin Gülker <m-guel...@phoenixmail.de> wrote:
> Am Tue, 19 Jul 2016 16:15:40 +0200 > schrieb Florian Schmaus <f...@geekplace.eu>: > > Isn't one problem that a cert with CN "example.org" will be valid for > > all services found on example.org (simply speaking), whereas when > > using SRV-ID restricts the cert to a particular service? > > I have always wondered about which domains should actually be included > into a TLS certificate for use in XMPP services once an SRV record is > in place. Do I need a certificate which covers xmpp.example.com? Or > does one for example.com suffice, given that that's what is actually > part of the JIDs? Or do I even need one that covers > _xmpp-server._tcp.example.com and _xmpp-client._tcp.example.com? A > combination of these three? > > If any more than one of these is required, this rules out simple certs > only covering a CN, at least one SAN is required. > > Ideas, anyone? Is there a documentation of the actual practise? > > Yes, in RFC 5280, RFC 6125, and RFC 6120. But they're relatively tough reading (especially 5280). Loosely, what goes in, must come out: The thing initiating the session has a service it wants, and a name it wants to get the service for. In our case, the service is always XMPP, but could be either xmpp-client or xmpp-server. The name is always the XMPP domain. So these are what goes in. What comes out of the certificate, therefore, has to be the service (if we care) and the XMPP domain. The "CN" - actually the Common Name RDN of the Subject Distinguished Name - is the old-fashioned way of doing this (and boy is it old-fashioned - this dates from the early '90's and has somehow clung on). Certificates also have one or more Subject Alternate Names, which can be (and often are) DNSNames, which are "just the domain". If we care about the service, then we want that to be present too - a sRVName type SAN can contain these (perhaps _xmpp-server.example.com - note the _tcp is missing), or an XMPPAddress SAN, or even a URI SAN. We usually don't, though, and these certificates have become very hard to obtain anyway. Things we get from DNS during the connection - stuff like the hostname, and IP address - can be used, but only if they've been secured by DNSSEC. If DNSSEC is in play, then DANE can also come in - but DNSSEC only accounts for a small percentage of XMPP servers. In any case, it's the same - what goes in (via the crypto) must come out. So in the example you give, just "example.com" is fine. For a remarkably silly description of this, there's also http://wiki.xmpp.org/web/The_Knight Dave. > Greetings > Marvin > > -- > Blog: http://www.guelkerdev.de > PGP/GPG ID: F1D8799FBCC8BC4F >