On 2008-02-25 00:16, Peter Saint-Andre wrote:
Tomasz Sterna wrote:
Why do you require services to be listed on the public im services list,
to run an SSL-only port for client connections?
Because we want to do this:
openssl s_client -connect example.com:5223 -CAfile ca.crt
AFAIK there is no good way to do something similar for STARTTLS
connections. If you know of a way, please do let us know.
I thought we wanted to encourage use of STARTTLS not the legacy SSL
wrapper.
We do.
That reminds me: I've been wondering why Jabber folks have been
encouraging STARTTLS? In general, STARTTLS has the flaw of allowing
misconfigured clients (of any protocol) to transmit credentials in the
clear; people who want to ensure clients are not exposing credentials
are safer with an SSL wrapper. Meanwhile, as Peter points out, STARTTLS
makes it harder to test services.
What advantage does STARTTLS provide to offset these annoyances?
--
Jefferson Ogata <[EMAIL PROTECTED]>
NOAA Computer Incident Response Team (N-CIRT) <[EMAIL PROTECTED]>
"Never try to retrieve anything from a bear."--National Park Service
