[jdev] TLS and self-signed certs

JD Conley jconley at winfessor.com
Thu Nov 11 18:49:10 CST 2004


Allowing self signed (or otherwise untrusted) certs with STARTTLS +
EXTERNAL is opening yourself up for a serious security breach.  Using it
with stream:features over dialback would give you encryption with a self
signed cert and trust through the DNS system.  STARTTLS + Dialback
offers some level of trust along with encryption without having to worry
about the complexities of a certificate chain.

So, I agree, with both of you.  :)  We have implemented STARTTLS +
EXTERNAL for S2S in SoapBox Server and allow administrators to choose
the level of trust they require.  I assume if the community gets behind
it we'll implement STARTTLS + dialback as well.

JD

> -----Original Message-----
> From: Peter Saint-Andre [mailto:stpeter at jabber.org]
> Sent: Thursday, November 11, 2004 4:05 PM
> To: jdev at jabber.org
> Subject: [jdev] TLS and self-signed certs
> 
> http://web.amessage.info/news/article/2981 asserts that one cannot use
> self-signed certs with TLS for securing XMPP streams. I don't think
> that's true, since we took that into account when writing RFC3920.
> 
> Also, I am working with the folks from CAcert.org on building
JabberIDs
> (for any kind of Jabber entity) into CAcert-issued certificates.
> 
> Peter




More information about the JDev mailing list