[jdev] TLS Everywhere
fippo at goodadvice.pages.de
Sat Nov 2 16:35:22 UTC 2013
> Whereas the deployment piece says
>> >o require the use of TLS for both client-to-server and server-to-server
> Doesn't that exclude Server Dialback? Please help me understanding this.
No. You use this (called starttls+dialback) if, after setting up TLS you
notice that you can't trust the peer certificate for strong authentication.
So you have an encrypted stream from TLS and the relatively robust
spoofing protection from dialback. It's safe from passive attacks.
More information about the JDev