Hi there,
would it be possible to relax s2s security support configurable to allow Dialback over TLS? Many servers do not support TLS and SASL. In those cases Openfire falls back to only Dialback without any connection encryption.
Kind regards,
Philipp Kern
Hey Philipp,
Unfortunately, the only options for s2s are 1) TLS + SASL EXTERNAL and 2) Server dialback over a plain connection. If the problem with TLS is that certificates are not being accepted by your server you can relax the verification logic. Let me know if that is what you need.
Gato
Hey Gato,
no that’'s not what I need. Actually I read the source and saw that. Most servers I want to have a TLS connection with do not support SASL (EXTERNAL) (think gmail.com, but also many others).
Some of my peers also just close the connection when they do not encounter the dialback stanza in stream:stream, as Openfire doesn’'t send it when it attempts a TLS connection and then retries with dialback over a plain connection which then succeeds.
ejabberd does support TLS with server dialback so it can’'t be that far away from the RFC which specifies SHOULD behaviour for use of SASL with TLS.
Couldn’‘t you file a ticket about this issue for it to be fixed in a later version? Theoretically only TLS handling needs to be added to ServerDialback, I guess. (OTOH the server is, if I remember it correctly, forced to forget everything about the connection as soon as TLS starts, so I don’'t know if dialback would actually be needed twice in one connection.)
Kind regards,
Philipp Kern
As I have this problem as well, let me add a question: Did anybody ever get an encrypted connection to jabberd14 or jabberd2 working? I can’'t get an encrypted connection working, a log I got from a jabber14-admin says: “(unencrypted, no certificate, auth=db, stream=preXMPP)”.
So far I encountered only 1 server that opens an encrypted connection (don’'t know what server though, the identification has been changed).
This is a real problem for interoperability.