On 2/3/21 2:49 PM, Marvin W wrote:
wss://<xmpp-service-name>:5443/ws ws://<xmpp-service-name>:5443/ws wss://<xmpp-service-name>/ws ws://<xmpp-service-name>/ws- ws://...:5443/ws makes no sense. Port 5443 is obviously a reference to HTTPS 443 port which is TLS encrypted, so you shouldn't make non-TLS connections to 5443. If any, use something like port 5080 or 5280.
I wouldn't sign the statement that "ws://...:5443/ws makes no sense.", as you can run any protocol on any port. But I could get convinced with the argument that separate ports for TLS and non-TLS result in easier server implementations. So I am fine with changing the port here.
- While technically you could do starttls over unencrypted websockets to get an encrypted connection, most clients probably won't do this and for browsers that's incredibly hard to implement. Non-TLS connections shouldn't be supported at all. So I'd opt for not providing implicit unencrypted wss endpoints at all.
Yeah, the "every new thing must only support TLS" stance. To be frank, I do not like it. Encryption is obviously desirable in may cases, but I believe there are also cases where it is not required. Surely, in the age of microservices and web-everything, those cases are probably the minority.
- Same as Sam, I'd also opt to use a path that is specific to XMPP and not as generic as /ws - at least for the default port variant. Best would probably be to register and use a well-known URI, e.g. /.well-known/xmpp-websocket.
Note that you can run multiple services behind the same WebSocket URL, due the Sec-WebSocket-Protocol header. And, as I explained, the current value '/ws` is ejabberd's default. But yes, having a more xmpp specific path also has advantages. It is a trade-off.
I leave it at councils discretion to decide about this and the former design decision.
- The reason for the XEP seems to be to ease deployments and not require XEP-0156 because that relies on modifying the HTTPS server running on <xmpp-service-name>:443. Yet the wss://<xmpp-service-name>/ws endpoint would have exactly the same requirement and complexity to set up.
Given that I can easily configure my ejabberd to listen at 443, I don't think that this assessment is correct.
Again, my personal motivation steems from Smacks' integration test suite and the XMPP server I use to run those against. I have access to port 443, but setting up XEP-0156 would involve multiple steps, including
- setup webserver - setup TLS certificate - create XRD which I avoided simply by using the proposed XEP. - Florian
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: [email protected] _______________________________________________
