Issue 374 - XMPP Server Certificates contain invalid SRV-ID records
: XMPP Server Certificates contain invalid SRV-ID records
: StartSSL PKI
: unspecified
: All All
: P5 normal
Assigned To:
  Show dependency treegraph
Reported: 2015-05-20 10:25 by
Modified: 2015-11-21 23:41 (History)



You need to log in before you can comment on or make changes to this issue.

Description From 2015-05-20 10:25:39

I'm using a StartSSL-issued XMPP certificate for / and when
examining it I found the following entries in it:

| Extensions:
|   X509v3 Subject Alternative Name:
|     sRVName:,     <-- these are the offenders!
|     xmppAddr:,
|     dNSName:,

I verified that the problem still exists with an XMPP certificate that was
issued four days ago.

According to and the correct format for the
sRVName(s) would be: (the last one is not needed in practice because is only used for server-to-server)

The respective RFCs say the following. RFC4985:

> The SRVName, if present, MUST contain a service name and a domain name in the following form:
> _Service.Name

And RFC6120:

> Support for the SRV-ID identifier type [PKIX‑SRV] is REQUIRED for XMPP client and server software implementations (for verification purposes XMPP client implementations need to support only the "_xmpp-client" service type, whereas XMPP server implementations need to support both the "_xmpp-client" and "_xmpp-server" service types).

Please update your certificate generators!

Kind regards,


P.S: I used to parse the SRVName entries.
------- Comment #1 From 2015-11-21 23:41:02 -------
We will discontinue this type of certificates by the end of this year (2015)
since they have become mostly obsolete. Due to that we'll not change anything
in this respect until then.

We recommend to use regular server certificates for the purpose of securing
XMPP servers and applications.