Re: [prosody-dev] s2s_require_encryption and gmail.com

2016-01-23 Thread Kim Alvefur 
Hi,

Replies inline. 

fre jan 22 23:14:13 2016 GMT+0100 skrev François L.:
> Hi,
> 
> I've same problem,
> Log say :
> Jan 22 23:07:30 s2sout13310a8   infooutgoing s2s stream myserver.tld 
> ->gmail.com closed: Encrypted server-to-server communication is required 
> but was not offered
> Jan 22 23:07:30 s2sout13310a8   infoSending error replies for 1 queued 
> stanzas because of failed outgoing connection to gmail.com
> 
> In my prosody.cnf.lua, they are : 
> s2s_require_encryption = true

This means require encryption, no exceptions. We have no plans on supporting 
exceptions to this but someone could write a plugin for it if they really 
wanted ;) 

> s2s_insecure_domains = { "gmail.com", "xmpp-server.l.google.com" }

This adds an exception to s2s_secure_auth, not encryption requirements.

Setting s2s_secure_auth = true would implicitly require encryption except for 
those in  s2s_insecure_domains.
 
> (i add xmpp-server.l.google.com, it's DNS entry to gtalk).

Only "gmail.com" would matter here, so this doesn't help.  

> Prosody 0.99

I assume you mean 0.9.9
 
> Any idea?
> 
> Crante
> 
> 
> Le vendredi 6 juin 2014 20:47:43 UTC+2, Nicolás Reynolds a écrit :
> >
> > Timothée Ravier  writes: 
> >
> > > Hi, 
> > > 
> > > I've read the XMPP TLS manifesto and I'd like to enforce it. But 
> > gmail.com 
> > > doesn't do TLS and I'd like to exclude just this one. 
> > > 
> > > I know that this is not ideal, but that's still better for me than the 
> > > current status: not enforcing TLS for anyone. 
> >
> > without patching, i've tested a combination of s2s_require_encryption = 
> > true and s2s_insecure_domains = { "gmail.com" } but the second option 
> > seems to be ignored, is it meant to be used with s2s_require_encryption 
> > = false or another option? 
> >
> > has anyone contacted google about this? (not that i think it's a cool 
> > corp) 
> >
> > -- 
> > http://librevpn.org.ar 
> >
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "prosody-dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to prosody-dev+unsubscr...@googlegroups.com.
> To post to this group, send email to prosody-dev@googlegroups.com.
> Visit this group at https://groups.google.com/group/prosody-dev.
> For more options, visit https://groups.google.com/d/optout.
>

-- 
You received this message because you are subscribed to the Google Groups 
"prosody-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to prosody-dev+unsubscr...@googlegroups.com.
To post to this group, send email to prosody-dev@googlegroups.com.
Visit this group at https://groups.google.com/group/prosody-dev.
For more options, visit https://groups.google.com/d/optout.

Re: [prosody-dev] s2s_require_encryption and gmail.com

2014-05-22 Thread Hugo Osvaldo Barrera 
On 2014-05-21 20:57, Luis G.F wrote:
 Is your decission, but in my modestly opinion, allow unencrypted
 gmail.com connections is dangerous for the jabber network. If you allow
 this with gmail.com, sooner or later you will allow too facebook.com or
 any other, you will always be a slave from others. Is better for your
 users, teach thems to use other jabber service.
 

The problem is:
a) They no longer care about federation and are slowly breaking it. If
we isolate from gtalk, they won't care and they won't fix it.

b) The majority of my contacts use google's xmpp. This is probably
true for almost everyone else out there, since their userbase is simply
colosal. We can't just stop talking to that many users.
 
 El 21/05/14 19:42, Adrien Clerc escribió:
  Not really. A lot of users are using Google services, including GTalk
  (even if they don't know the name of this service). The problem for us
  is that we cannot afford ignoring what Google is doing, because we
  cannot force these users to use another XMPP service.
  For example, right now, since Google broke its s2s, I cannot speak with
  anyone unless they talk to me first. This is annoying. But I have to
  deal with it…
 
  Adrien
 
 



-- 
Hugo Osvaldo Barrera
A: No, it doesn't make sense.
Q: Should I include quotations *after* my reply?


pgpZ4QBC34sbA.pgp
Description: PGP signature