[Jabber-IETF] STARTTLS support for XMPP streams

Robert Norris rob at cataclysm.cx
Thu Oct 10 20:30:14 CDT 2002


This is a quick overview of JEP-0035, which defines a STARTTLS extension
for streams.

It starts like the old SASL thing - the client requests the use of
STARTTLS by specifying a namespace on the stream header:

C: <stream:stream xmlns='jabber:client' xmlns:stream='http://...' xmlns:tls='http://...' to='jabber.org'>

A server supporting this replies with:

S: <stream:stream xmlns='jabber:client' xmlns:stream='http://...' xmlns:tls='http://...' from='jabber.org' id='12345678'>

When its ready, the client sends the STARTTLS command:

C:   <tls:starttls/>

The server responds by closing the stream:

S: </stream:stream>

The client then begins the TLS negotiation. Once thats done, it sends a
new stream start, and the whole things starts again. Of course, the
server must not offer allow the client to do STARTTLS if the session is
already encrypted.

Certificate authentication would be possible by using the SASL EXTERNAL
mechanism in conjunction with this.

So, to fit this into the new capabilities structure we've put together,
the dialogue might look something like this:

C: <stream:stream xmlns='jabber:client' xmlns:stream='http://...' to='jabber.org' version='1.0'>
S: <stream:stream xmlns='jabber:client' xmlns:stream='http://...' from='jabber.org' version='1.0' id='123456768'>
     <stream:capabilities>
       <mechanisms xmlns='http://sasl'>
         <mechanism>DIGEST-MD5</mechanism>
       </mechanisms>
       <starttls xmlns='http://starttls'/>
     </stream:capabilities>

C:   <starttls xmlns='http://starttls'/>
S: </stream:stream>

C: <stream:stream xmlns='jabber:client' xmlns:stream='http://...' to='jabber.org' version='1.0'>
S: <stream:stream xmlns='jabber:client' xmlns:stream='http://...' from='jabber.org' version='1.0' id='123456768'>
     <stream:capabilities>
       <mechanisms xmlns='http://sasl'>
         <mechanism>DIGEST-MD5</mechanism>
         <mechanism>PLAIN</mechanism>
         <mechanism>EXTERNAL</mechanism>
       </mechanisms>
     </stream:capabilities>

From here the client would presumably do a SASL auth, or whatever.

Does this seem correct?

-- 
Robert Norris                                       GPG: 1024D/FC18E6C2
Email+Jabber: rob at cataclysm.cx                Web: http://cataclysm.cx/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://jabber.org/pipermail/xmppwg/attachments/20021011/5026c239/attachment.pgp


More information about the xmppwg mailing list