5 Nov
2025
5 Nov
'25
5:21 p.m.
Hi Dave!
I'd argue that not supporting channel-binding means that you don't send any
XEP-0440 related elements, rather than sending an empty XEP-0440 cb-list (and
also don't advertise any *-PLUS methods, of course).
Imho that's fine with XEP-0388 which states:
All servers and clients supporting channel-binding MUST
implement SASL
Channel-Binding Type Capability (XEP-0440) [1].
So a server without cb, doesn't need to implement or send a XEP-0440 list at
all.
The schema doesn't include a minOccurs, and that
means minOccurs='1' by
default. This means at least one channel binding MUST be included. Is this
intentional?
Per my reasoning above, I'd say: yes.
-tmolitor
Am Mittwoch, 5. November 2025, 11:57:38 CET schrieb Dave Cridland:
> Thilo, sorry!
>
> I had somehow missed that SASL2 mandates XEP-0440. It makes a lot of sense.
>
> But...
>
> Openfire currently doesn't support any channel bindings.
>
> It is sometimes used in cases where there is no TLS at all. This is quite
> deliberate and sensible in this case, please don't argue with this! This
> means there will always be cases where there are no channel bindings
> available (because there's no channel to bind to!).
>
The schema doesn't include a minOccurs, and that
means minOccurs='1' by
default. This means at least one channel binding MUST be included. Is this
intentional?
>
> I appreciate this is an oddball case (and I can support tls-server-endpoint
> for most normal cases), but is this the intent here or was the expectation
> that the minOccurs should be '0'?
>
> (I know tls-server-endpoint MUST be implemented, but MTI is not MTD etc).
>
> Dave.