How to not require TLS for loopback interfaces?

Jonathan_Lennox · September 7, 2021, 8:52pm

We’re using the Prosody XMPP server with the “secure_interfaces” module, which turns off requiring TLS on host interfaces considered secure (by default, the loopback addresses, 127.0.0.1 and ::1).

Is there an easy way to configure Smack to do the same thing, i.e. to change the security mode to ifrequired if and only if the XMPP hostname resolves to the loopback address?

I could do it manually, but I don’t want my Java code to be doing DNS lookups inline, and it seems like it would be fragile to assume that only the name "localhost" resolves to the loopback address.

This is for the Jitsi project - I’m in the process of upgrading our Smack libraries from a hacked version of Smack 4.2.4 to the official 4.4.3 release, and I ran into the change in default of the security mode.

Flow · September 8, 2021, 8:49am

I could imagine to add a new security mode enum value like requiredIfNotLocal. However, this adds additional security-sensitive responsibility to Smack, so I am a little bit averse to the idea. I first like to understand your use case a little bit better. For example, why can’t you always use localhost and set security mode to disabled?

system · November 9, 2021, 8:50am

This topic was automatically closed 62 days after the last reply. New replies are no longer allowed.