SSL certificates / private CAs / CACert issue
skupko.sk at gmail.com
Thu Dec 13 11:34:27 EST 2012
Hi all (sorry for such wide conference, but I am sure it will be valuable),
hope that there are many experienced admins/developers on these lists
and many of you probably running certificates signed by your own CA on
your Jabber servers too.
After some experiences during last months I feel it would be great to
discuss the use of certificates signed by 'non-public' CA on the public
We already had some 'excessive' discussion about it with Peter
Saint-Andre this year and didn't 'solve' it. The only outcome of it was
that the Jabber.sk service is still not listed in the list of public
services and the only reason is that it's using certificate signed by
our internal CA. I did accept that and gave Peter more time to think
about it as it doesn't harm our service at all.
Nevertheless I just discovered that Google started to reject retrieval
of emails from the POP3s and IMAPs servers which use the certificates
from non-public CAs . Unfortunately they didn't provide the list of
CAs they accept (just mentioned Mozilla foundation's list) and still
allow to retrieve these emails by not-secured POP3/IMAP channels and
propose it as an workaround. It is probably planned and has to do
something with the new rules of Google Apps, which are not for free
anymore. But this has nothing with XMPP.
The second issue I was fighting with (and not only once) is that
OpenFire jabber server doesn't accept message retrieval over s2s
connection with the jabber server using the certificate signed by
'non-public' CA by default. Hopefully there is a chance to change this
Now let me fall into the situation with SSL certificates in the XMPP
world in more details.
Just some months before (and it looks like that also these times) the
CACert wasn't recognised as an publicly trusted CA by Mozilla foundation
 (Opera and many more too) because they didn't pass their auditing.
But at those times almost all of the jabber servers and clients already
accepted certificates signed by them as 'secure'. Looks like that XMPP
foundation proposal to use CACert as one of the possible CAs was the
only argument for acceptance. The developers of jabber software usually
do not take care about any security requirements which the CA has to
pass before it will be added to the list of 'secure' public CAs they do
recognise. I just checked more support requests for Gajim [3,4] and
other jabber clients with requests to add CACert or other CA into the
list of accepted CAs and nobody of the developers asked or checked the
state of the CA and the issue the CA has with this process in other
projects or at least didn't mentioned that in the support requests.
I think that this restriction of use only publicly acceptable CAs for
SSL/TLS communication is not correct in general and should not be
enforced by Google, XMPP foundation or OpenFire or anybody else. The
possible solution for this situation in XMPP world could be to provide
the list of acceptable and secure CAs by XMPP foundation directly. It
could maintain and provide this list for all XMPP developers. As a part
of this solution there should be defined the process with clear
requirements to CA willing to be added to this list.
I will accept that the jabber.sk is not added to the list of public
services just after this will be addressed and there will be some clear
statement made by XMPP foundation and/or the public XMPP service list
As another argument for advocating of the private CAs to be accepted on
XMPP servers I would remind you that XMPP network is presented as free
and open and we should take care of not stealing it's openness and freedom.
I would like to give a chance to run any XMPP server with certificates
signed by their private CA without any messages rejection. Of course
there is nothing what doesn't allow me to request the sign of my
certificate by CACert or other CA and probably pay some price for it.
This is just my choice and I am asking if XMPP 'world' is ready and able
to accept that as I do not see any advantage of publicly accepted CAs in
XMPP network at this time.
There is also other possibility to limit such issues with not accepted
connections due to certificate rejections - ask developers of all
mainstream XMPP software (server and client) to add CA into their lists.
But I do not find it as an appropriate and correct solution and would
like to open wide discussion about it instead.
Appreciate all meaningful posts in advance. (sorry for my English)
admin of one small public jabber.sk
More information about the Discussion