-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
Set SNI to the server_name, not whatever was in the SRV record #3907
Conversation
Are you sure this's the right behaviour? I think SRV records are more like MX records. Just out of curiousity, I checked how subject and SANs of certificates for MX hosts relate to hostnames. It seems that certificats are never issued for main hostname, but rather for MX hostnames. For example, gmail.com:
and their certificates are issued for corresponding hostnames, not for the original gmail.com domain:
Additionally, as a third-party domain owner, you won't be able to delegate mail handling to Google without having them a certificate for your main domain in possesion. I checked a couple of other mail servers - namely, yandex.ru, mail.ru, yahoo.com, hotmail.com, wikipedia.org, xmpp.org, protonmail.com, aol.com - and only mail.ru has certificate for the main domain on its MX server (and even then a few alternative domains, like inbox.ru, still point to the same MX server, which doesn't have a certificate for them). Here is the program I tested it with: https://gist.github.com/WGH-/d7f90fab9e2385f348aaba3bae4896a8 |
XMPP servers, on the other hand, usually have certificates for the main (originating) domain. |
Thanks, having carefully read the discussion and the FAQ (https://github.com/matrix-org/synapse/blob/master/docs/MSC1711_certificates_FAQ.md), I came to conclusion that |
Running into a similar problem here. We're using Let's Encrypt with HTTP-01 challenge (through traefik), and in our case, The server on Probably going to move to .well-known too, however i really dislike the fact that this creates another dependency (if the webserver on |
Fixes #3843