Jefferson Ogata schrieb:
Interesting. So you're saying the server looks at the @to attribute in
and chooses a certificate based on that value?
yes,
some servers also present the certificate of the hostname from the srv
records. AFAIK Google is doing this.
Can you name two? I would be inter
On 2008-02-26 00:00, Alexander Gnauck wrote:
Jefferson Ogata schrieb:
How, exactly, do you know? I.e. what specific prenegotiation informs
the XMPP server which domain certificate to use? Traditional STARTTLS
(e.g. in ESMTP and LDAP), AFAIK, has no such provision; this would
have to be an XMPP
On 2008-02-26 00:55, Dave Cridland wrote:
I usually hate receiving responses like this one, but they're
nonetheless true:
The great StartTLS vs special-socket debate was over something like 10
years ago - possibly more, actually. Even in protocols which don't offer
the server id negotiation p
I usually hate receiving responses like this one, but they're
nonetheless true:
The great StartTLS vs special-socket debate was over something like
10 years ago - possibly more, actually. Even in protocols which don't
offer the server id negotiation prior to TLS, as in XMPP, there are
oth
Jefferson Ogata schrieb:
How, exactly, do you know? I.e. what specific prenegotiation informs the
XMPP server which domain certificate to use? Traditional STARTTLS (e.g.
in ESMTP and LDAP), AFAIK, has no such provision; this would have to be
an XMPP-specific augmentation.
from the stream head
On 2008-02-25 15:50, Tomasz Sterna wrote:
Dnia 2008-02-25, Pn o godzinie 15:13 +, Jefferson Ogata pisze:
That reminds me: I've been wondering why Jabber folks have been
encouraging STARTTLS? In general, STARTTLS has the flaw of allowing
misconfigured clients (of any protocol) to transmit cr
Dnia 2008-02-25, Pn o godzinie 15:13 +, Jefferson Ogata pisze:
> That reminds me: I've been wondering why Jabber folks have been
> encouraging STARTTLS? In general, STARTTLS has the flaw of allowing
> misconfigured clients (of any protocol) to transmit credentials in
> the
> clear; people wh
On 2008-02-25 00:16, Peter Saint-Andre wrote:
Tomasz Sterna wrote:
Why do you require services to be listed on the public im services list,
to run an SSL-only port for client connections?
Because we want to do this:
openssl s_client -connect example.com:5223 -CAfile ca.crt
AFAIK there is