[Operators] requiring channel encryption
Maissel, Joe
joe.maissel at credit-suisse.com
Wed Apr 30 07:41:54 CDT 2008
For better or worse, we have a requirement to run both TLS required and
non-TLS S2S services. To connect to gmail.com we need non-TLS. My
organization requires that non-TLS services be locked down by IP at the
firewall level. I also want to have open XMPP federation (from a
firewall point of view) so for that I have must run TLS ONLY. I don't
have the flexibility to run it as you outline below (would be much
easier if I did!). This is why we require separate SRV records for TLS
and non-TLS S2S services. We are using the SRV record _xmpp-server._tls
for this (as opposed to _xmpp-server._tcp), but I don't think ._tls is
standard.
-----Original Message-----
From: operators-bounces at xmpp.org [mailto:operators-bounces at xmpp.org] On
Behalf Of Dave Cridland
Sent: Wednesday, April 30, 2008 8:23 AM
To: XMPP Operators Group
Subject: Re: [Operators] requiring channel encryption
On Wed Apr 30 12:45:54 2008, Maissel, Joe wrote:
> Is there an SRV record to distinguish tls from non-tls s2s services?
No, but there needn't be - the TLS switch is advertised and performed
inline. So a server would connect as normal, and see that TLS were
advertised (which it is now) and also see that it was mandatory, and
switch to it.
Dave.
--
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at jabber.org
- acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
- http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
==============================================================================
Please access the attached hyperlink for an important electronic communications disclaimer:
http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html
==============================================================================
More information about the Operators
mailing list