[jdev] Interop Preparation

Dave Cridland dave at cridland.net
Thu Nov 18 05:08:57 CST 2010 

On Thu Nov 18 07:38:01 2010, Philipp Hancke wrote:
> Badlop wrote:
>>> bear wrote:
>>>> We will be setting up a test domain and will be providing a CA,  
>>>> so
>>>> each server would:
>>>> 
>>>>   - have an issued Certificate(s)
>> 
>> 2010/11/10 Philipp Hancke<fippo at goodadvice.pages.de>:
>>> Testing cases where it should not work (like revoked  
>>> certificates) is more
>>> interesting than making sure things work. Testing the  
>>> verification of
>>> domain-based application service identity would be nice, too.
>> 
>> 
>> For that additional testing, the XSF could provide also wrong  
>> certs:
>> one revoked, another for a dummy domain, etc. And then the server
>> administrators setup additional vhosts which use those certs.
> 
> That requires two modes of operation for the servers:
> - oh-yeah-tls-is-so-cool: Basically the normal mode of operation as  
> currently used on "the public network" where servers ignore revoked  
> (expired, ...) certs or the mismatch of the certificate for "dummy  
> domain".
> 
> 
Different servers do, and do not do, CRL checking. M-Link R14.6 does  
not, whereas M-Link R15.0 can do (if asked). I don't think servers  
trust incorrect or expired certificates ever, do they?


> - tls-as-defined-in-the-specs: if a server connects to another  
> server and does not get a valid and trusted certificate for the  
> expected peer domain it will disconnect. Additionally, that server  
> will not allow another server to use dialback, but require XEP 0178  
> style authentication.

You can even place M-Link in such a mode, but it'll continue to  
accept a trusted certificate that's been revoked, but won't allow it  
to be used for authentication. In addition, you can require (from  
some or all peers) that a trusted, unrevoked, valid certificate is to  
be presented prior to authentication.

> Do we bother with testing dialback, too?

May as well. If anyone is doing dialback-without-dialback, I'd be  
interested.

> Dave: if you could generate certificates signed by an intermediate  
> CA that would be nice to test if servers actually send the whole  
> chain.

I'm not generating the certificates, but yes, that should be possible.

Dave.
-- 
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at dave.cridland.net
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade

More information about the JDev mailing list