[Standards] LAST CALL: XEP-0368 (SRV records for XMPP over TLS)

Travis Burtrum travis at burtrum.org
Wed Feb 15 03:24:59 UTC 2017


On 02/14/2017 02:00 PM, Ruslan N. Marchenko wrote:
> It has nothing to do with port reuse, rather service binding. When I'm
> thinking how many ports I need to open on firewall to allow simple mail
> exchange - it just makes me feel sad an sorry for all the people who
> developed those standards.

Really?  How many ports do you have to open?  I have port 25 for SMTP
delivery because that's a must, but then I simply have sslh listen on
port 443 and it sends http traffic to nginx based on sni or alpn and by
default, xmpp traffic to prosody based on alpn, imap traffic to dovecot
based on sni, smtp submission to postfix based on sni, vpn to ocserv
based on sni, irc to znc based on sni, and probably a few I don't
remember that right now.

So that's 2 ports, 99% of them TLS over 443 multiplexed with ALPN or SNI.

> Also one security drawback here - now to DoS by encryption abuse vector
> you need to negotiate stream before doing starttls - meaning you need to
> have handcrafted tool just for this protocol. With TLS on socket you can
> use anything which is able to open secure socket (probably related to
> the quote above?).

I'm pretty sure nginx and haproxy handle TLS and any type of TLS DoS far
better than any current XMPP server, sorry, that's just a much larger
segment of the web.

Don't get me wrong, I'd love it if all ports were open all the time and
such, but that's not the world we live in, and I can do nothing to
change 99% of it.  The fact is TLS over 443 is most likely to get
through, and I don't see any downsides to sending XMPP over it.  In fact
you already can now with BOSH or Websockets, but this is more
lightweight for non-web clients.


More information about the Standards mailing list