[jdev] Interop Preparation
Philipp Hancke
fippo at goodadvice.pages.de
Thu Nov 18 12:49:53 CST 2010
Dave Cridland wrote:
> Different servers do, and do not do, CRL checking. M-Link R14.6 does
> not, whereas M-Link R15.0 can do (if asked). I don't think servers trust
> incorrect or expired certificates ever, do they?
I don't think any servers trust incorrect or expired certificates (or
certificates where the subject does not match the streams from/to) in
the sense that they allow them to be used for SASL EXTERNAL.
Dialback is used as a fallback in that case, so thing don't break.
Most servers do "trust" such certificates (in a TLS-optional) mode when
connecting to a peer server in the sense that they continue to connect
(which mean trusting DNS, not x509). Disconnecting and reconnecting
without TLS would be rather silly.
That interpretation of "tls optional" has a rather nasty side-effect:
it decreases the number of valid and usable s2s certiciates, because
nobody bothers to fix things (expired certificates, servers that fail to
send the complete certificate chain up to the root) when it just works
(TM) with jabber.org.
[...]
>> Do we bother with testing dialback, too?
>
> May as well. If anyone is doing dialback-without-dialback, I'd be
> interested.
I'll see if I can deploy a server with both dwd and bidi.
>> Dave: if you could generate certificates signed by an intermediate CA
>> that would be nice to test if servers actually send the whole chain.
>
> I'm not generating the certificates, but yes, that should be possible.
Thanks!
philipp
More information about the JDev
mailing list