XMPP Service Operators - 2025-12-27

  1. tom

    MattJ, i'm trying to send you a private message but it's not going through

  2. Menel

    I see more and more letsencrypt certs that have: Client Authentication: optional CA List for Client Auth: {(some long long list)} My own certs are: Client Authentication: optional CA List for Client Auth: _empty_ Does anyone know when letsencrypt will add this long listx and what it will do? My idea would be, that xmpp servers that still validate client-Auth won't work with these certs if they are not one of the domain that is listed in that long long list? That list contains entries like C=ES,O=ACCV,OU=PKIACCV,CN=ACCVRAIZ1 OU=AC RAIZ FNMT-RCM,O=FNMT-RCM,C=ES

  3. jonas’

    Menel, I think that's not a property of the certificate.

  4. jonas’

    Instead, it's something applications configure in their handshake.

  5. jonas’

    Instead, it's something applications configure in their (TLS) handshake.

  6. jonas’

    I faintly remember something about having to pass the list to some library or to some server for client authentication to work... so it's entirely possible that you're seeing a rollout of some change in some server's or client's TLS config through the ecosystem.

  7. Menel

    Ah I see. That makes sense, since it would be a bit much to press all that info into a cert.

  8. jonas’

    also it is independent of the cert.

  9. jonas’

    it's basically a statement of the server "hey, these are the CAs I accept client certificates of"

  10. jonas’

    it's supposed to help the client choose the correct client certificate

  11. jonas’

    it's also a mostly irrelevant feature in the XMPP world

  12. jonas’

    (it matters more in corporate contexts where you may have multiple special-purpose CAs for different services)

  13. Menel

    Yes. I wonder now why ejabberd started to implement that now (or it is testssl.sh only showing it now)

  14. jonas’

    as I said… I do remember that I had to do this for interop with some implementation, but I don't remember which it was.

  15. jonas’

    possibly M-Link or Tigase.

  16. moparisthebest

    prosody and xmpp-proxy at least just ignore whether that flag is set entirely, hopefully the newer ejabberd patch does the same

  17. jonas’

    moparisthebest, we're not talking about the client auth flag which is part of the certificate AFAICT

  18. moparisthebest

    what I mean is, I suspect that list only matters when the flag is set, and things that entirely ignore whether the flag is set also entirely ignore any list