I am not so sure about that. The idea is that generally users expect
log into a server that's responsible for the domain part of their id,
that's what we try to check when logging. We consider any other case
warrant a warning.
This would require an IP address and jabber daemon for every domain
though. I run an ISP and offer jabber services on one domain
(orange.securityprotected.net), and have a number of domains using that
Ahm, no. This is true for HTTP where TLS negotiation happens before any data from the client is sent to the server. But XMPP uses STARTTLS (upgrade of an existing TCP connection to TLS). The client supplies his from address before the TLS upgrade and the server can select the matching certificate based on that address.
I would expect under normal circumstances that if I logged in as
firstname.lastname@example.org to be checked against dechrai.com, but as I have
overridden the Connect Server to orange.securityprotected.net, would now
expect the SSL check to be done against orange.securityprotected.net.
We have such a comparison set up for SIP, but I'd rather prefer to avoid it as all XMPP clients are required to support SRVs in the subjectAlternativeName. With that, it is possible to separate certificate based on their intended usage. A certificate issued for _xmpp-client.example.com cannot be used for anything else. A potential customer of yours could therefore submit you a certificate for this SRV, but you fake his website, issued to example.com and www.example.com
The other option would be to check the certificate against the SRV
record and then I'd use
_xmpp-client._tcp.dechrai.com. 900 IN SRV 5 0 5222
The comparison against SRVs is implemented in Jitsi, but then again the check is made against _xmpp-client.dechrai.com and not orange.securityprotected.net (because DNS is an unreliable source, DNSSEC left aside).
Any references (e.g. RFCs) that would recommend the contrary?
Nope, just going on a hunch based on the fact I've not had SSL cert
errors with any other jabber client that I've tried.
Could you name a few please? Because last time I was using some I got a warning for my Google Web Apps account: such hosted accounts at Google face the exact same problem. The certificate presented by Google is for gmail.com for world-wide users, googlemail.de for German users (because of a stupid lawsuit that forbids them the use of gmail) and talk.google.com for all hosted domains. The servers behind however are all hosted at talk.google.com (take a look the SRVs). So Google uses the 'from'-info as mentioned above.