[Operators] requiring channel encryption

Peter Saint-Andre stpeter at stpeter.im
Tue Apr 29 17:28:05 CDT 2008


Daniel Willmann wrote:
> Hello,
> 
> On Tue, 29 Apr 2008 14:50:21 -0600
> Peter Saint-Andre <stpeter at stpeter.im> wrote:
> 
>> The jabber.org admin team has been discussing the option of requiring
>> STARTTLS (or legacy SSL on port 5223) for client-to-server
>> connections, and STARTTLS for server-to-server connections. I'm
>> wondering:
>>
>> 1. Are any other XMPP services doing this right now (for c2s or s2s or
>> both)?
> 
> I'm admin of a rather small XMPP server at totalueberwachung.de and
> I've been requiring encrypted c2s connections from the start. All
> clients I have played with support at least legacy SSL so I don't think
> that should be a big problem.

The big problem seems to be Miranda, since it requires a plugin for SSL
support. I've sent a message to the Miranda developers list about this.

> Be aware though, that some clients (older versions of psi) don't
> support STARTTLS and don't try SSL by default. So for some users it
> will seem like jabber.org stopped working without any useful error
> message.

Yes I think we will need to post some good HOWTO information about this
before we make the change.

>> 2. Are there any clients of importance that don't support either SSL
>> or STARTTLS?

So we have these as potentially a problem:

Miranda
Coccinella (when I last tested it was hard to get SSL working)
Psi 0.10 (upgrade!)
Kopete, Gossip, iChat (SSL but no STARTTLS)

And maybe others.

We will support SSL on 5223 for a long time, so a lack of STARTTLS
support should not be a problem.

However, we use a cert from the XMPP ICA and many clients do not yet
recognize the StartCom root CA, so I may need to poke more client
developers about that. :)

>> 3. What is your guess as to the percentage of XMPP services that won't
>> be able to connect to jabber.org for s2s when we make this change
>> (even if we accept self-signed certificates)? ;-)
> 
> Requiring encryption for s2s is certainly a good idea and I welcome it.
> I'm not sure how big the fallout would be. I already try to encrypt s2s
> connections if possible and so far:
> 
> thebe ~ # grep "is now valid" /var/log/jabber/current |wc -l
> 563
> thebe ~ # grep "is now valid, SSL" /var/log/jabber/current |wc -l
> 386
> 
> So 68% of my connections are encrypted. But as far as I know all
> google-hosted connections don't support SSL, at least gmail doesn't for
> me.

Yeah that's a problem. I'll have to ping the folks on the Google Talk
team about that.

>> I think we need to do this eventually because channel encryption is a
>> Good Thing -- it's just a matter of time. But feedback from other
>> service providers is welcome...
> 
> I personally wouldn't mind, but it will come with a cost (especially
> for s2s).

Perhaps at jabber.org we will require c2s encryption before we require
s2s encryption. But I think it's worthwhile to make the effort...

Peter

-- 
Peter Saint-Andre
https://stpeter.im/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.jabber.org/pipermail/operators/attachments/20080429/fa5d5ad4/attachment-0001.bin 


More information about the Operators mailing list