XEP-0206 1.4rc2 says:
Note: Inclusion of TLS negotiation elements is allowed but is NOT
RECOMMENDED. The definition of how TLS might be implemented over BOSH is
currently beyond the scope of this document. Instead, channel encryption
SHOULD be completed at the HTTP (transport) layer, not the XMPP
(application) layer.
and
Note: The client SHOULD ignore any Transport Layer Security (TLS)
feature since BOSH channel encryption SHOULD be negotiated at the HTTP
layer.
I think it would be cleaner to say that TLS MUST NOT be negotiated in
BOSH, and that if confidentiality and data integrity are needed then
they MUST be negotiated at the HTTP layer.
Also it would be good to make sure that BOSH is aligned with the XMPP
over WebSocket spec on this point (but I'll provide feedback about that
on the XMPP WG list).
Peter
--
Peter Saint-Andre
https://stpeter.im/
