2013-12-29 22:04 skrev Anthony Papillion:
I'm definitely open to supporting XEP-0198. I'm not sure there's a
plugin for the server I'm using (OpenFire) that supports it though.
I'll
look around.
I thought OpenFire had problems with chained certificates[1], such as
the ones I'm using with intermediate CAcert class3 cert.
This causes my server's TLS connections to an OpenFire server to be
regarded as insecure and (since there's no bidirectional server link
support in OpenFire) the replying server connection is made in
cleartext.
My XMPP server's using Prosody[2]. That's so far the best XMPP server
software I've found, especially if the goal - as with your setup - is to
be secure. (best feature imho is server-specific
verify-by-certificate-hash support the in latest versions, for servers
with trusted admins but untrusted CAs or self-signed certs)
Prosody also defaults to sane, recommended encryption settings, have
insecure SSL versions, prefer TLSv1.2 etc. (except that there are
problems with GNU/Linux distributions like Ubuntu where Canonical etc.
disable TLSv1.2 in their system libs).
As long as the chained certificates bug is still present, I would
recommend scouting around for other serverside solutions than OpenFire.
And it's dead-simple to configure Prosody, you essentially just need
your certificates, vhost name and possible conference server setup. Not
sure about any migration solutions with OpenFire->foo, though, but
there's migration script for ejabberd->Prosody at least. So look around
:)
[1] http://issues.igniterealtime.org/browse/OF-405
[2] https://prosody.im/
--
Mikael Nordfeldth
http://blog.mmn-o.se/
XMPP/mail: m...@hethane.se
--
Liberationtech is public & archives are searchable on Google. Violations of
list guidelines will get you moderated:
https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change
to digest, or change password by emailing moderator at compa...@stanford.edu.
