Dave Cridland <d...@cridland.net> wrote: >On Wed, Oct 30, 2013 at 12:21 AM, Mathieu Pasquet ><mathi...@mathieui.net>wrote: > >> >> Before signing the manifesto as a software developer, there are >> a few things that are unclear and I’m not sure we can commit to >> this just yet: >> >> Dropping SSLv2 is all good and I’m not even sure why SSLv2 was >> supported initially (doesn’t xmpp appear after SSLv3 was >standardized?), >> but dropping SSLv3, while also a good idea, might cause issues with >lots >> of servers (not naming legacy ejabberd or openfire under old debian >or >> centos). Hopefully, we have some time to wake up some admins before >the >> dates set in the manifesto, but I hope the test days will help >> troubleshooting the ones that don’t get the memo. >> >> >Well, I think you've answered your own question there. The manifesto >sets >out the aims, but I'm hoping that we're not so blinkered that we cannot >adapt the rules as we go along. So if it turns out that - despite the >IM >Observatory's work so far - SSLv3 is essential for interop, and we >cannot >work with the affected sites to correct this, then we might revisit >that.
I do want to note, though, that XMPP's STARTTLS is only defined to work with TLS, not SSL. Said interoperability issues are basically the result of non-compliancy in implementations, and if we are to drop interop with the current Google Talk network (which doesn't even do non-dialup), I don't see why this should be different. -- ralphm _______________________________________________ JDev mailing list Info: http://mail.jabber.org/mailman/listinfo/jdev Unsubscribe: jdev-unsubscr...@jabber.org _______________________________________________
