-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello Georg,
On 11/05/2015 02:21 PM, Georg Lukas wrote: > 6. Client or server SHOULD set SNI TLS extension to the host in the > SRV record. > > Is that a deliberate decision or just inappropriate wording? That was a deliberate decision on my part, and does not affect security in the way you mentioned because I explicitly state: > TLS certificates MUST be validated the same way as for STARTTLS. (ie, as specified in XMPP Core). In other words against the domain part of the JID, so if DNS was maliciously poisoned, the certificate would not validate and the connection would be aborted. I suppose the wording could be changed to make that more clear. The reason I chose to do it that way is so the server operator could instead multi-plex multiple protocols in TLS by looking at the SNI name instead of ALPN. SNI is old and well supported by every TLS library, ALPN is new and barely supported anywhere. My server is an example, burtrum.org:443 is HTTPS, but xmpp.burtrum.org:443 is XMPP-over-TLS, decided based on the SNI name. (sslh and stunnel both have support for this) Thanks, Travis -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQQcBAEBCgAGBQJWO7TPAAoJEOy5uMuqxowDS44f/1LTpHIBihh87qUZpcottbq+ C4O4biwv3EhC8ul3r2/dAIA/go4VcojVmURSNvVHvH1yYWg6MEWu8Ec6nsYB0Kiu loElUt5B4ybM36vxXedfuu59Ot6blA4GDpUEvcVzz/5rK6LIPi0fzUbCZ24RpG4O RHNgkjsX0CEY5q6A4VqTHp1JSp8fcxgWgSa2mGMfxKkI5nDs8aTOaIM0SUmpxwcI RROcBiargetYP6Gthyfd/XGYy8Vh71LRlLNrGCZxEPJRV5s3f2cMJLVrbpXNsrQ+ PEgq6YsjEbjd9yUmO245vTCMIZKykcYWtpXkL9g9VXKQfWEcKpajLuQRg2DhOyly 9sxs4ym6PpwoLIkH52ZsK+Nzcm8u3AvLfEhFhvFJwZrIlQwp5LP2nF1Lovm3q6S2 V4nsq2t9BQZ6DlDKDdfvUkhVSL6l3gzkoqyGdi1CQoxtrDjz08xKxUbtOlzY47in Z8ZAOrMVoLczICD4J6Bh5VOwJYXbz/Bz+fiyeBri1E0m8pu+VHVoULWxqX74tMeY VWSkTfDfcDKT++spF+MEIaK01YyR40hmIgzlyyoAw0p4UOCy9VFue/Jn/I/q4bTh /bW34pxZfj9vySoe04xEl5lfu/X0X+9VDQtcANU/5bkKSI3slYfbD6MbR/+79Fxn pSCfItWLq8LmyXa/YiAm3We2ccRvHAqe8hAfftvXyAKRIcF8Tkq+3v7nQf1MiRJr N73is272lSXLAiw+Uv+aNnHgLANXN5Um7tK2ImjJU0SuDOS9cSk90IYPMolXltFO bTAMGxSeR54gPp7OUCv11t0xCJAl6j1OW6XznSEH5ekOtzI7rEGEJotwL8GrYqLI W1Ksz7RidTrhPV8su+NQ11oXKM9zbEe7a5TIkedZ7QRoqGMAcoxTB7924hEp9RJL R5cB5Y/7rv/zPJ2Nj+MOtRFS9q/xrlMhvpnqHUjoRHgQWnL+LN8dKz6MV0xL6QiG v/T7mewiTXhs/kCy8w7M0nraGRAlWfSb8Bb3gNzufEnjbzIRcF0jDZENQltJAr8N VtMd96Gj+1PI4xyhUIXkBZBrM6Mv6wute7JJuw00V2KLfiL4CarGMcNfSheJ8GFd dDbLwrfMnWkdr344VNP5rY2V56MEbH3mFGMmuAabSG10n5IQpRbVxwyKRn+YVcWF PYK8+mGN0CWVZNB2foY+k17xyW0igJ7Jea8lSwHwJ78QzknIY/I7gTySEyIrtnAt vRFquBpI7lw5SReUxAiWSrPQb9+OzTpDUziWCVXCuONqQydA6VFhwqNvQnSNX1p7 pc6QQUqqGP1JLZV0czer+CxY+d/qGyLMqAY5mVH+DWWGvPIZ4cv/3OlKtwNLkuM= =IrCC -----END PGP SIGNATURE-----