I have the following problem: After I setup an intranet Jabber/XMPP server, I asked an SSL certificate for my server, so people can connect securely using a valid certificate.
The DNS of example.com is configured to redirect
root@dowa-01:/var/log/ejabberd# host -t SRV _xmpp-client._tcp.example.com
_xmpp-client._tcp.example.com has SRV record 5 0 5222 xmpp.example.net.
root@dowa-01:/var/log/ejabberd# host -t SRV _xmpp-client._tcp.example.com
_xmpp-client._tcp.example.com has SRV record 5 0 5222 xmpp.example.net.
The problem is that when I try to connect with the XMPP client, I get an hostname mismatch between example.com and xmpp.example.net ?!
As long the DNS is redirecting to another domain, why is the client asking about a certificate on original domain?
Details: the example.net is a domain used by the corporate intranet, most internal stuff are on it. Obviously, people are supposed to login with their email address and domain password.
How am I suppose to solve this problem? I am pretty sure that Security would not give me a root domain certificate for the public domain.
I assumed that pointing the DNS would work, but it seems that it doesn't.
Any workarounds?
Best Answer
Yes, you need a certificate for
example.com
, it being valid forxmpp.example.net
does not matter. This is because DNS is considered untrusted: it would be very easy to poof your SRV record to point to a malicous server, for which an attacker might have a valid and trusted certificate.There are some proposed solutions to this problem (including DANE and POSH), but none of those are currently supported by clients. The only solutions are: 1) make everyone accept the certificate mismatch, 2) use xmpp.example.net as your XMPP domain or 3) convince security you need a certificate for example.com.