StartCom Bug Reporting and Tracking Tool – Issue 374
XMPP Server Certificates contain invalid SRV-ID records
Last modified: 2015-11-21 23:41:02
You need to
before you can comment on or make changes to this issue.
I'm using a StartSSL-issued XMPP certificate for yax.im / chat.yax.im and when
examining it I found the following entries in it:
| X509v3 Subject Alternative Name:
| sRVName: chat.yax.im, yax.im <-- these are the offenders!
| xmppAddr: chat.yax.im, yax.im
| dNSName: chat.yax.im, yax.im
I verified that the problem still exists with an XMPP certificate that was
issued four days ago.
According to https://xmpp.org/rfcs/rfc6120.html#security-certificates and
https://tools.ietf.org/html/rfc4985#section-2 the correct format for the
sRVName(s) would be:
_xmpp-client.chat.yax.im (the last one is not needed in practice because
chat.yax.im is only used for server-to-server)
The respective RFCs say the following. RFC4985:
> The SRVName, if present, MUST contain a service name and a domain name in the following form:
> Support for the SRV-ID identifier type [PKIXâSRV] is REQUIRED for XMPP client and server software implementations (for verification purposes XMPP client implementations need to support only the "_xmpp-client" service type, whereas XMPP server implementations need to support both the "_xmpp-client" and "_xmpp-server" service types).
Please update your certificate generators!
P.S: I used https://www.zash.se/x509parse.lua to parse the SRVName entries.
We will discontinue this type of certificates by the end of this year (2015)
since they have become mostly obsolete. Due to that we'll not change anything
in this respect until then.
We recommend to use regular server certificates for the purpose of securing
XMPP servers and applications.