On Wednesday 18 May 2005 09:42 am, Stephen Marquard wrote:
Justin Karneges wrote:
If this was meant to be possible, it certainly isn't clear in RFC 3920. Is this an extension documented somewhere?
You do TLS as documented for streams (if advertised as a stream feature), and then dialback as documented. TLS doesn't add much additional complexity - the only subtlety is to wait for TLS to complete once it's started before sending any dialback packets.
The spec does not discuss dialback with TLS, or even <stream:features> for that matter. My problem with what you describe is that it would probably cause breakage between jabberd and my own server implementation which was created according to the spec. Please don't make stuff up. If we really want dialback + TLS, this _needs_ to be documented in the RFC.
Some observations:
1. None of the open source jabber servers (j1, j2, ejabberd, etc.) are XMPP compliant in all regards - c/f http://www.jabber.org/admin/jsc/. XMPP 14.7 says "At a minimum, all implementations MUST support ... SASL, TLS, TLS plus SASL EXTERNAL".
2. Compliant XMPP servers that want to interoperate on the public jabber network already need to assume that they may be talking to jabber servers that don't support all of XMPP.
3. Dialback + TLS is a sensible extension of dialback + stream features for supporting TLS, even though strictly speaking it violates XMPP (which requires TLS to be used with SASL). It's sensible in that it doesn't break connecting to servers that don't support TLS, and servers that talk to dialback+TLS-enabled servers should simply look at the stream features offered to see if SASL is available or not. If not, they can choose not to use TLS at all, to remain strictly XMPP compliant.
4. Dialback + TLS has been independently implemented in j1 and j2 with no operational problems so far attributed to its use on the public jabber network.
5. The main barrier to TLS+SASL on the public jabber network seems to be the long-standing debate about which CAs should and shouldn't be trusted. This seems to be come up about every 6 months.
So if everyone with an interest in the public jabber network could agree on 5, then we could all get on with implementing TLS+SASL support in a way which had some practical benefit outside intranet deployments, and produce XMPP-compliant servers.
Right now, TLS+Dialback is providing the benefit of encrypting s2s streams while the larger question gets sorted out. If necessary it could be written up in a JEP, but it's not that complex.
Regards Stephen
_______________________________________________ jdev mailing list [email protected] http://mail.jabber.org/mailman/listinfo/jdev
