[jdev] SASL EXTERNAL for s2s in jabberd14
Matthias Wimmer
m at tthias.net
Sat Nov 5 07:07:57 CST 2005
Hi Justin!
Justin Karneges schrieb:
>Why would a connecting server present a certificate, and then invoke SASL
>EXTERNAL with an authzid that doesn't match what is written in the
>certificate? Sounds to me like a configuration problem in the connecting
>server that you probably shouldn't encourage.
>
>
Because it is maybe connecting for service.example.com but only has a
certificate for example.com. Sure this might be considered as
misconfiguration - and sure as well, that it would be better to have a
certificate for each domain. But I think it's better to use a wrong
certificate for a connection, than to use no TLS layer at all.
Sure, one could use the DH anon ciphers for these cases. But I don't
know many admins, that I expect, that they will generate DH keys as well.
But wrong certificates might even be prefered over the DH anon ciphers,
as at least a human person can decide if the connection has been made to
the right server and not to a man in the middle. (E.g. because the
certificate subject is logged to a file.)
Matthias
More information about the JDev
mailing list