[ejabberd] More virt host woes.

Peter Saint-Andre stpeter at stpeter.im
Sat Feb 9 01:43:22 MSK 2008


Jesse Thompson wrote:
> Brian Cully wrote:
>>> * Certificate management.  The XMPP specification requires that the  
>>> cert
>>> match the domain, not the server.  This makes it very difficult for
>>> hosting providers.
>> 	I haven't tried this yet. I was worried from reading the code that  
>> this could be a problem. If you have any solutions that could save me  
>> time when I finally get there, I would appreciate it.
> 
> I don't think that this is a problem with ejabberd.  The problem is that 
> you will need to get a certificate specific for each domain, otherwise 
> the jabber clients will display certificate-host mismatch errors.  You 
> could generate self-signed certificates, but clients will bitch about 
> those too.  The XMPP ICA will sign your certificates for free, but I 
> don't need to tell you how much of a hassle it will be to request/renew 
> 8,000 individual certificates.  FWIW, Google appears to use just 2 
> certificates: gmail.com for gmail users, and talk.google.com for the 
> google apps users.  But they distribute their own client that 
> conveniently ignores the fact that the certificate doesn't match the domain.

Some clients (iChat etc.) let you specify that the hostname handling a
gmail.com or googlemail.com (etc.) JID is "talk.google.com". Then when
you're presented with a certificate for talk.google.com, the client
considers that to be acceptable. I'll be modifying the specifications to
make it clear that this approach is one allowable authentication flow.

Peter

-- 
Peter Saint-Andre
https://stpeter.im/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.jabber.ru/pipermail/ejabberd/attachments/20080208/766101b9/attachment.bin 


More information about the ejabberd mailing list