On 02/15/2017 02:48 AM, Ruslan N. Marchenko wrote: > Ideally I'd like loadbalancer to offload both tls and stream > negotiation, to filter out stream-flood (similar to syn-flood) - eg. > pass/relay connection to the pool only once initial handshake is > complete (stream/to + tls/SAN). That allows me to have farm behind > focusing only on processing streams for my domains. (I'll probably even > implement it for clustering perf/ha solution).
Isn't that exactly what direct TLS gives you? You have the to (via SNI), and you also know whether it's s2s or c2s traffic. Oh also you have actual tools written to use now that are proven to scale in real-world use to far more connections than any XMPP server has, instead of simple dreams of how you imagine a tool to be. Point is STARTTLS is a relic from a darker time when SNI, SRV, and ALPN were not a thing, it's simply not required any more. _______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
