[jdev] XMPP "APIs"

Jonas Wielicki xmpp-dev at sotecware.net
Sun Jan 13 12:06:08 UTC 2013


On 13.01.2013 09:47, Justin Karneges wrote:
> On Saturday, January 12, 2013 01:03:59 PM Jonas Wielicki wrote:
>> It seems just natural to me to use XMPP for that purpose, however, I'm a
>> bit cautious with just accepting the XMPP servers authentication. I know
>> that I'm pretty safe when I'm doing that between my own servers running
>> on the same machine, but from outwards I could easily be MITM'd.
> 
> Good point. I think this problem can be mostly solved with TLS and s2s. My 
> plan, which I have not yet implemented, is to allow setting a "TLS required" 
> flag on any whitelisted JID. The XMPP server itself would not enforce TLS, and 
> instead negotiate it opportunistically, but I'd need to hack it to tell my 
> server app whether an incoming stanza arrived from a TLS-protected stream or 
> not, so that my server app could make the choice of whether to accept or 
> reject.

In that case, you have to make sure that your server properly validates
certificates and such, which won't work with all other servers. See
gtalk, which doesn't do any s2s TLS. There has been some discussion on
the operator list about the topic of certificates and trust a few weeks
ago, which started about here[1].

-- Jonas

   [1]: http://mail.jabber.org/pipermail/operators/2012-December/001540.html


More information about the JDev mailing list