Checking hostname in XMPP server when using TLS

Daniel Atallah datallah at pidgin.im
Tue Nov 2 15:40:54 EDT 2010


On Tue, Nov 2, 2010 at 15:37, zhong ming wu <mr.z.m.wu at gmail.com> wrote:
> First Pidgin is great.  Thanks.
>
> My question is related to TLS implementation of xmpp client functionality
> that I think is unspecific to pidgin
>
> As u know a xmpp domain may have more than 1 server handling c2s
> connections.  Perhaps that is the original reason why when a client connects
> to server via TLS it check to see if ssl cert is issued in domain name not
> server name; that way a domain can use 1 cert in all servers.
>
> In the opposite case of one server handling multiple virtual domains this is
> undesirable since otherwise one cert suffices
>
> Moreover assuming DNS is safe (big assumption in the past & some will say
> now) should client not do DNS look up and then use server cert to verify
> authenticity of it
>
> Just curios in general about how xmpp client authors decide to check domain
> name with the SSL certificate
>
> I have tested aidium psi empathy ichat beem in addition to pidgin on windows
> and linux
>
> HTTP and smtp does not work like that

This is a question that would be better asked on one of the the XMPP
mailing lists:
http://xmpp.org/about/discuss.shtml

-D




More information about the Support mailing list