[Operators] requiring channel encryption

Maissel, Joe joe.maissel at credit-suisse.com
Wed Apr 30 07:41:54 CDT 2008


For better or worse, we have a requirement to run both TLS required and
non-TLS S2S services.  To connect to gmail.com we need non-TLS.  My
organization requires that non-TLS services be locked down by IP at the
firewall level.  I also want to have open XMPP federation (from a
firewall point of view) so for that I have must run TLS ONLY.  I don't
have the flexibility to run it as you outline below (would be much
easier if I did!).  This is why we require separate SRV records for TLS
and non-TLS S2S services.  We are using the SRV record _xmpp-server._tls
for this (as opposed to _xmpp-server._tcp), but I don't think ._tls is
standard.

-----Original Message-----
From: operators-bounces at xmpp.org [mailto:operators-bounces at xmpp.org] On
Behalf Of Dave Cridland
Sent: Wednesday, April 30, 2008 8:23 AM
To: XMPP Operators Group
Subject: Re: [Operators] requiring channel encryption

On Wed Apr 30 12:45:54 2008, Maissel, Joe wrote:
> Is there an SRV record to distinguish tls from non-tls s2s services?

No, but there needn't be - the TLS switch is advertised and performed
inline. So a server would connect as normal, and see that TLS were
advertised (which it is now) and also see that it was mandatory, and
switch to it.

Dave.
-- 
Dave Cridland - mailto:dave at cridland.net - xmpp:dwd at jabber.org
  - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
  - http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade


==============================================================================
Please access the attached hyperlink for an important electronic communications disclaimer: 

http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html
==============================================================================



More information about the Operators mailing list