On Tue Oct 14 12:23:29 2008, Norman Rasmussen wrote: > I'd like to know what the 'expected'/'best' mechanism in the > following case > is: > - client (c2s) or server (s2s) connects to remote host > - remote host announces it supports, but does not require TLS > - TLS negotiations, start but initially fail (due to broken cert > chain, > expired certs, etc) > - remote server announces failure, and drops the tcp connection > > then what?
Then the remote server is broken - failure to verify a certificate should not cause a connection failure. The circumstance where this does apply is where the two sides have no available cipher suites in common, and in that circumstance it's reasonable to retry without TLS is the local policy allows. However, this is such a vanishingly rare circumstance that it's not worth worrying about. Dave. -- Dave Cridland - mailto:[EMAIL PROTECTED] - xmpp:[EMAIL PROTECTED] - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/ - http://dave.cridland.net/ Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade _______________________________________________ JDev mailing list FAQ: http://www.jabber.org/discussion-lists/jdev-faq Forum: http://www.jabberforum.org/forumdisplay.php?f=20 Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: [EMAIL PROTECTED] _______________________________________________
