Hey Mathieu, thanks for the nice words :)
Regarding the Pre-TLS auth options I honestly do not know. I always took comfort in the fact that no auth can proceed before startssl took place, so I always saw those options as "there, but defunct". If anyone here knows how to disable all auth mechanisms prior to startssl I am more than happy to extend that article :) -Chris. On 17/12/14 13:00, Mathieu Pasquet wrote: > Hello, > > It was a good read, thank you. I have been assuming for a while that > achieving decent security levels with openfire was close to impossible, > and I am glad to see that while it needs some tinkering, it is still > possible. > > That being said, it appears your server still offers the possibility of > unencrypted connection and, more concerning, PLAIN through an unencrypted > connection, which is quite bad from a security point of view. Is that > impossible to prevent using openfire? > > I would also suggest the subjectAltName extension instead of the Common > Name for setting up the certificate, but it works anyway. > > -- Christian Reiss - [email protected] /"\ ASCII Ribbon \ / Campaign GPG Key: http://gpg.christian-reiss.de X against HTML Jabber : [email protected] / \ in eMails "It's better to reign in hell than to serve in heaven.", John Milton, Paradise lost.
signature.asc
Description: OpenPGP digital signature
