On Tue, Jan 24, 2017 at 7:38 AM, Travis Burtrum <tra...@burtrum.org> wrote: > But you basically said it yourself, "Direct" TLS and STARTTLS are > equivalent security-wise ONLY IF you attempt STARTTLS regardless of > offer and give up with a security exception otherwise. That behavior is > enforced with direct TLS, therefore they are not equivalent.
Only if you specify a default port to attempt connections on (as was discussed earlier). I agree with Zash, they're equivalant; 6120 says that even if STARTTLS isn't advertised you should attempt it, and this is the same thing. Falling back to plain is a bad idea, but it's a matter of client policy. —Sam _______________________________________________ Standards mailing list Info: https://mail.jabber.org/mailman/listinfo/standards Unsubscribe: standards-unsubscr...@xmpp.org _______________________________________________
