[ejabberd] More virt host woes.
stpeter at stpeter.im
Sat Feb 9 01:43:22 MSK 2008
Jesse Thompson wrote:
> Brian Cully wrote:
>>> * Certificate management. The XMPP specification requires that the
>>> match the domain, not the server. This makes it very difficult for
>>> hosting providers.
>> I haven't tried this yet. I was worried from reading the code that
>> this could be a problem. If you have any solutions that could save me
>> time when I finally get there, I would appreciate it.
> I don't think that this is a problem with ejabberd. The problem is that
> you will need to get a certificate specific for each domain, otherwise
> the jabber clients will display certificate-host mismatch errors. You
> could generate self-signed certificates, but clients will bitch about
> those too. The XMPP ICA will sign your certificates for free, but I
> don't need to tell you how much of a hassle it will be to request/renew
> 8,000 individual certificates. FWIW, Google appears to use just 2
> certificates: gmail.com for gmail users, and talk.google.com for the
> google apps users. But they distribute their own client that
> conveniently ignores the fact that the certificate doesn't match the domain.
Some clients (iChat etc.) let you specify that the hostname handling a
gmail.com or googlemail.com (etc.) JID is "talk.google.com". Then when
you're presented with a certificate for talk.google.com, the client
considers that to be acceptable. I'll be modifying the specifications to
make it clear that this approach is one allowable authentication flow.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.jabber.ru/pipermail/ejabberd/attachments/20080208/766101b9/attachment.bin
More information about the ejabberd