powered by Jive Software

Secure s2s verify question

Hi all,

We now have secure s2s. Yea!!!

I have yet to upgrade my Wildfire to 2.4.2, so maybe my question will be answered by an upgrade (I’'ll do that soon).

Anyhow, I’‘m wondering if an XMPP client user will see any difference between an unencrypted, an unverified encrypted, and a verified encrypted s2s connection? If not, is there much point in verifying certs? Or maybe there’'s now secure s2s connection rules in the Admin Console.



There’‘s no way at the protocol level for a client to tell that an s2s connection is secure. However, you definitely have security options for s2s connections in the server. For example, you can require that all s2s connections be encrypted if you’'d like.



That’'s too bad that one cannot ask for some communications to be secured end-to-end by the client. (Although one can use GPG to accomplish this.)

So, it seems like this was mostly self-explanatory after an upgrade. I would assume setting ‘‘Server Connection Security’’ to ‘‘Required’’ means that all s2s connections must be able to have their cert verified, or they will be dropped. But, with ‘‘Optional’’, what happens if a cert cannot be verified? Does the connection go through encrypted, or unencrypted? Also (not that I’'d ever touch the setting), is there a way to set a minimum cipher strength, or are all ciphers accepted?