20 Oct
2025
20 Oct
'25
5:45 p.m.
On Mon, Oct 20, 2025 at 12:47 PM Dave Cridland <dave(a)cridland.net> wrote:
Stock Java still doesn't support tls-exporter. You
can use Bouncy Castle, though (and even unto FIPS), and get access - if local policy
allows, which it might not. Otherwise you're stuck with tls-server-endpoint - which is
still better than nothing of course.
I’m reading this as an argument on why this XEP should exits (Allowing
the server to announce what channel binding features it supports),
rather then an argument that the security considerations should keep
requiring endpoint.
The web browser doesn't support anything useful at
all, you're entirely out for channel binding - and therefore may wish to support
"non channel binding" versions.
FWIW WebTransport is close to ready and has exporter support.
Any server operating behind a load balancer that
terminates TLS cannot do anything but tls-server-endpoint, of course.
Someone apparently has a prototype that transmits the exporter bytes
from the TLS termination proxy to the XMPP server via proxy
protocol...
But yes, giving people the option to do endpoint is certainly desired.