[jdev] virtual hosting and certificate checking
Norman Rasmussen
norman at rasmussen.co.za
Wed Mar 1 13:59:10 CST 2006
As I understand it, the way dial-back works, you can make multiple
's2s' connections via a single dial-back session. IIRC, you just send
the dial-back auth token down the existing connection and it adds the
new server as a valid endpoint.
With swapping to certs (and I assume SASL external?) does that mean
one connection for every s2s connection - i.e. no piggybacking? I
doubt that any arbitary hostname is allowed to be authorised, so I
assume it would just be the id-on-xmppAddr's in the subjectAltName
field?
If all id-on-xmppAddr's are authorised, implementors need to be
careful that hostname poisoning is not allowed. i.e. check that the
dns entry matches the same ip/port of the existing connection, before
checking the id-on-xmppAddr's on the already establised connection.
--
- Norman Rasmussen
- Email: norman at rasmussen.co.za
- Home page: http://norman.rasmussen.co.za/
More information about the JDev
mailing list