[jdev] SASL EXTERNAL for s2s in jabberd14

Matthias Wimmer m at tthias.net
Fri Nov 4 14:33:20 CST 2005 

Hi!

I have implemented SASL EXTERNAL on s2s connects in jabberd14 the last 
days, and like to share some thoughts on this, as well as I'd like to 
get thoughts of other developpers, that already implemented this.

- When do you offer SASL EXTERNAL on an incoming connection? I 
implemented, that the s2s connection manager always checks the peers 
certificate as soon as a TLS layer is established. Only if the 
certificate could be validated (not expired, if the incoming stream had 
a from attribute if this matches the certificate, signed by a trusted 
CA, ...) I offer the peer to use SASL EXTERNAL. In all other cases I 
know that SASL EXTERNAL would fail anyway so I do not have to offer it. 
Better for the peer to try dialback.
- What do you do if you connected to an other server which offered you 
SASL auth but the authentication failed? Do you retry the connection 
using dialback or do you consider it as a final auth failure? Currently 
I do not retry it using dialback but bounce the stanza back to the 
sender. I am aware that this might be wrong and retrying the connection 
using dialback could be better.
- I guess at least for now we have to handle certificates, that do not 
contain the id-on-xmppAddr object as well and therefore have to support 
domains as commonName as well. Right? In that case, it is known practice 
in such certificates to have wildcards in domains, e.g. "*.example.com". 
Do you handle these? How do you handle these? I am allowing this 
certificate for "subdomain.example.com", but not for "example.com".
- If the certificate is for "example.com", do you accept this 
certificate to be used for "service.example.com" as well? Currently I 
don't. But I am not sure if this is correct/intended by RFC3920.
- Do you support having a SASL authenticated link in one direction and a 
dialback "authenticated" link in the other direction between two 
servers? Especially do you accept and process to receive db:verify 
requests on a SASL link? Currently I do.
- Do you package a set of CA certificates with your server distribution? 
Which CAs should be trusted/included?

What servers out there support SASL EXTERNAL already and are available 
for at least evaluation? I'd like to do some interoperability tests?


Thank you
Matthias

More information about the JDev mailing list