[jadmin] STARTTLS on s2s links

Peter Saint-Andre stpeter at jabber.org
Mon Oct 24 12:36:21 CDT 2005


Matthias Wimmer wrote:

> Out of curriosity I started to log on amessage which s2s connections are 
> established using the STARTTLS stream feature and are therefore 
> encrypted. The result of about 20 hours is that there are at least the 
> following servers on the public Jabber network, that support STARTTLS on 
> s2s links:

<snip/>

Very interesting.

> Nice to see more servers than I expected, but still far to few servers 
> support encryption on server to server links.

There are probably several reasons:

1. Not all server implementations support TLS + SASL External for s2s 
(or deployments haven't been upgraded yet to recent software versions 
that support these features).

2. Many server admins care about security but don't understand use of 
certificates with XMPP (e.g., no good HOWTOs) so they just do without.

3. Many server admins don't care about security enough to complain about 
(1) and overcome (2).

Also, I wonder: are these servers presenting self-signed certificates? 
Are admins waiting for certification authorities to provide the proper 
XMPP data in certificates before they deploy TLS+SASL for s2s? Should be 
push harder on our friends at http://www.cacert.org/ for XMPP support in 
their certificates?

Peter

-- 
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.shtml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3511 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mail.jabber.org/pipermail/jadmin/attachments/20051024/1b1cadd1/attachment-0001.bin>


More information about the JAdmin mailing list