On Wednesday 27 October 2004 01:26 am, Alex Kogan wrote: > Hello Justin, > > > SASL would be even easier (if PHP can do it...). But yes he should > > definitely use one of these at least. No sense in making a new security > > protocol. > > I do not intend to invent a new security protocol, I will rework XMPP > for my needs, however, I need some practical advice on implementing > either SASL or TSL to prevent sniffing.
Get some libraries. :) TLS acts as a filter over your entire connection. When you have data to write, you instead write it to your TLS library for encryption first. When data comes from the TCP socket, you pass it to your TLS library to have it decrypted. It acts as a middleman for your socket. There is an initial negotiation phase where optional certificates are exchanged so that both parties can identify themselves. The most common case is for the client to not provide one (anonymous), but the server does. The client will then prove who it is later using a separate authentication method over this now-encrypted connection. SASL is similar, but it has two phases. The first step is authentication, whereby the client and server exchange blocks of data constructed by each others' SASL libraries. The applications themselves pass this data across as defined by the application protocol (for example, in XMPP, the SASL auth blocks are Base64-encoded and placed in an XML element). Once the login is complete, the application then runs all further incoming and outgoing data through the SASL library (just like how TLS works) to encrypt the connection. In XMPP, we generally use TLS for connection encryption, with either SASL or some older mechanism for login/password authentication. The reason for using both when SASL should suffice is because SASL is relatively new to the world of Jabber. -Justin _______________________________________________ jdev mailing list [EMAIL PROTECTED] http://mail.jabber.org/mailman/listinfo/jdev
