23 maj 2013 kl. 17:06 skrev Jonas Wielicki <[email protected]>:
> Hi all, > > It's been discussend and I'm keen to find out about authenticated and > encrypted s2s. > > So I wonder what, if any, the current “standards” or suggestions on this > one are. I'm a fan of CACert, and I'd like to stick for that. How's the > reputation of CACert in the XMPP community? I believe I read somewhere > that hardly anyone really does validation of the s2s-TLS-connection if > one is used at all? > > To boil it down: What would I need as a server operator to have the > optimal setup for s2s TLS? > > If there are no standards yet here (although I guess there are some, > based on the behaviour of current implementations), I think we shall > discuss this, with the major blocker “Google Federation” out of the way. > In SIP we have a standard for s2s connection reuse, that basically says that without a client auth we need two tls connections. Before I send to you I need to know which domains you are responsible for. If there is a connection between us already that you set up, I have no idea on the domains you are responsible for unless I required a client cert, thus I can not reuse that TLS connections for requests the other way. If I required a client cert, I know which domains you are responsible for and can reuse the connection. In SIP, there's no clear distinction between s2s and c2s like we have in XMPP. A SIP server doesn't really know if the connection it is another server or a client. Luckily that problem doesn't exist in XMPP so being able to request a client cert is more simple. Now, with old SSL/TLS the server requiring a client cert had to say "I only accept client certs from these CA's". With TLS 1.x something this was removed, which opens up a lot of new possibilities for self-signed certs verified by other means, like with DANE or the HTTP/PKI verification that is being worked on. Unfortunately it's hard to require people to update their OpenSSL or gnuTLS stack to get this, which means that there has to be a small set of CAs used for client certs for this to work in a federation, which stinks... Just my 4 öre :-) /O
