[jdev] SASL EXTERNAL for s2s in jabberd14
Matthias Wimmer
m at tthias.net
Fri Nov 4 14:55:42 CST 2005
> - When do you offer SASL EXTERNAL on an incoming connection? I
> implemented, that the s2s connection manager always checks the peers
> certificate as soon as a TLS layer is established. Only if the
> certificate could be validated (not expired, if the incoming stream
> had a from attribute if this matches the certificate, signed by a
> trusted CA, ...) I offer the peer to use SASL EXTERNAL. In all other
> cases I know that SASL EXTERNAL would fail anyway so I do not have to
> offer it. Better for the peer to try dialback.
I got asked (on Jabber) how I do this verification and how I know which
domain the server wants to authenticate later on.
If the connecting server sent a from attribute in the stream root, I am
checking against this. If there was no from attribute (the other server
does not have to send this attribute), I just check if the certificate
is not expired and I can validate the certification chain up to a
trusted root CA certificate.
More information about the JDev
mailing list