powered by Jive Software

Planning to move to PRD, need clarification in Encryption (port 5223)


#1

Hello Experts,

We have developed custom mobile android application and it is working fine with port 5222, since we planning to move to Production, we have to do encryption.

What all process we need to do to enable encryption ?

Regards


#2

On the admin console; Server -> Server Settings -> Client Connections.

Select “Advanced configuration” and ensure “STARTTLS policy” is set to required.

This will force your client to use TLS - which if you’ve used a standard library it probably does.

Greg


#3

Thank you, so will the encryption get enabled on 5222 port or need to change to port 5223?


#4

No - it stays on 5222 but the stream get’s upgraded to TLS early on in the negotiation process.

Greg


#5

ok, so what is the use of 5223 port?

If encrypted is enabled will the data save in DB as encrypted or as plain text?


#6

The 5223 port is used for legacy app’s that don’t support the inflight TLS upgrade process.

And no, this only affects traffic across the socket. Data in the DB remains in plain text.

Greg


#7

Since we have developed a custom app, do we need to do anything in the application side if we enabled encryption?


#8

You need to make sure your client can use TLS - which if you’ve used a standard library it probably does.


#9

Thank you Greg for the info, I will enable encryption and check whether it works.


#10

Hi Greg,

We tried enabling encryption on port 5222, but it showing error from client, do we need to import any cert. ?


#11

That sounds likely thought without knowing what sort of errors it’s difficult to be sure. Alternatively, your client library may have a setting to allow self-signed certs.

As a third option, install a genuine certificate on your server.

Greg


#12

Such settings are sadly often synonymous for “accept all certs”. I suggest to avoid them.

What you really want to is being able to pin arbitrary certificates. For Smack on Android, this probably means using MemorizingTrustManager, or, alternatively, using the portable java-pinning library which runs on Java SE and Android.


#13

Hi

Can you please suggest on this