Issue 374 - XMPP Server Certificates contain invalid SRV-ID records
: XMPP Server Certificates contain invalid SRV-ID records
Status: RESOLVED WONTFIX
: StartSSL PKI
Certificates
: unspecified
: All All
: P5 normal
Assigned To:
:
:
:
:
  Show dependency treegraph
 
Reported: 2015-05-20 10:25 by
Modified: 2015-11-21 23:41 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this issue.


Description From 2015-05-20 10:25:39
Hi,

I'm using a StartSSL-issued XMPP certificate for yax.im / chat.yax.im and when
examining it I found the following entries in it:

| Extensions:
|   X509v3 Subject Alternative Name:
|     sRVName: chat.yax.im, yax.im     <-- these are the offenders!
|     xmppAddr: chat.yax.im, yax.im
|     dNSName: chat.yax.im, yax.im

I verified that the problem still exists with an XMPP certificate that was
issued four days ago.

According to https://xmpp.org/rfcs/rfc6120.html#security-certificates and
https://tools.ietf.org/html/rfc4985#section-2 the correct format for the
sRVName(s) would be:

_xmpp-server.yax.im
_xmpp-client.yax.im
_xmpp-server.chat.yax.im
_xmpp-client.chat.yax.im (the last one is not needed in practice because
chat.yax.im is only used for server-to-server)

The respective RFCs say the following. RFC4985:

> The SRVName, if present, MUST contain a service name and a domain name in the following form:
> 
> _Service.Name

And RFC6120:

> Support for the SRV-ID identifier type [PKIX‑SRV] is REQUIRED for XMPP client and server software implementations (for verification purposes XMPP client implementations need to support only the "_xmpp-client" service type, whereas XMPP server implementations need to support both the "_xmpp-client" and "_xmpp-server" service types).

Please update your certificate generators!

Kind regards,

Georg

P.S: I used https://www.zash.se/x509parse.lua to parse the SRVName entries.
------- Comment #1 From 2015-11-21 23:41:02 -------
We will discontinue this type of certificates by the end of this year (2015)
since they have become mostly obsolete. Due to that we'll not change anything
in this respect until then.

We recommend to use regular server certificates for the purpose of securing
XMPP servers and applications.