3

I have the following problem: After I setup an intranet Jabber/XMPP server, I asked an SSL certificate for my server, so people can connect securely using a valid certificate.

The DNS of example.com is configured to redirect 

root@dowa-01:/var/log/ejabberd# host -t SRV _xmpp-client._tcp.example.com
_xmpp-client._tcp.example.com has SRV record 5 0 5222 xmpp.example.net.
root@dowa-01:/var/log/ejabberd# host -t SRV _xmpp-client._tcp.example.com
_xmpp-client._tcp.example.com has SRV record 5 0 5222 xmpp.example.net.

The problem is that when I try to connect with the XMPP client, I get an hostname mismatch between example.com and xmpp.example.net ?!

As long the DNS is redirecting to another domain, why is the client asking about a certificate on original domain?

Details: the example.net is a domain used by the corporate intranet, most internal stuff are on it. Obviously, people are supposed to login with their email address and domain password.

How am I suppose to solve this problem? I am pretty sure that Security would not give me a root domain certificate for the public domain.

I assumed that pointing the DNS would work, but it seems that it doesn't.

Any workarounds?

sorin
  • 7,668
  • 24
  • 75
  • 100
  • Having your SRV records point to xmpp.example.net, your certificate should list that host name in the SubjectAltName list, too. – vautee Mar 07 '14 at 14:07
  • @vautee I do have a SSL certificate that has the the wildcard intranet domain (*.example.net) in SAN list. Still, when I try to connect with XMPP clients they will complain about HOSTNAME not matching certificate. My impression is that the clients do expect an example.com valid certificate even if the DNS server does report that that XMPP server is running on xmpp.citrite.net – sorin Mar 10 '14 at 15:04
  • Never forget: `*.example.net` NEVER matches `example.net` itself. And since your JIDs are named `user@example.net`, your jabber clients will check for example.net in the certificate - simply "ignoring" the host name from the SRV lookup. – vautee Mar 17 '14 at 19:31

1 Answers1

3

Yes, you need a certificate for example.com, it being valid for xmpp.example.net does not matter. This is because DNS is considered untrusted: it would be very easy to poof your SRV record to point to a malicous server, for which an attacker might have a valid and trusted certificate.

There are some proposed solutions to this problem (including DANE and POSH), but none of those are currently supported by clients. The only solutions are: 1) make everyone accept the certificate mismatch, 2) use xmpp.example.net as your XMPP domain or 3) convince security you need a certificate for example.com.

xnyhps
  • 190
  • 7