[Operators] requiring channel encryption

Daniel Willmann daniel at totalueberwachung.de
Tue Apr 29 16:52:00 CDT 2008


Hello,

On Tue, 29 Apr 2008 14:50:21 -0600
Peter Saint-Andre <stpeter at stpeter.im> wrote:

> The jabber.org admin team has been discussing the option of requiring
> STARTTLS (or legacy SSL on port 5223) for client-to-server
> connections, and STARTTLS for server-to-server connections. I'm
> wondering:
> 
> 1. Are any other XMPP services doing this right now (for c2s or s2s or
> both)?

I'm admin of a rather small XMPP server at totalueberwachung.de and
I've been requiring encrypted c2s connections from the start. All
clients I have played with support at least legacy SSL so I don't think
that should be a big problem.
Be aware though, that some clients (older versions of psi) don't
support STARTTLS and don't try SSL by default. So for some users it
will seem like jabber.org stopped working without any useful error
message.

> 2. Are there any clients of importance that don't support either SSL
> or STARTTLS?
> 
> 3. What is your guess as to the percentage of XMPP services that won't
> be able to connect to jabber.org for s2s when we make this change
> (even if we accept self-signed certificates)? ;-)

Requiring encryption for s2s is certainly a good idea and I welcome it.
I'm not sure how big the fallout would be. I already try to encrypt s2s
connections if possible and so far:

thebe ~ # grep "is now valid" /var/log/jabber/current |wc -l
563
thebe ~ # grep "is now valid, SSL" /var/log/jabber/current |wc -l
386

So 68% of my connections are encrypted. But as far as I know all
google-hosted connections don't support SSL, at least gmail doesn't for
me.

> I think we need to do this eventually because channel encryption is a
> Good Thing -- it's just a matter of time. But feedback from other
> service providers is welcome...

I personally wouldn't mind, but it will come with a cost (especially
for s2s).

Regards,
Daniel Willmann
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mail.jabber.org/pipermail/operators/attachments/20080429/8ba6219c/attachment.pgp 


More information about the Operators mailing list