[ejabberd] tls and jabber.org and google

Regna ki at bakka.su
Mon Jun 6 17:16:20 MSK 2016


Hello.

This line in your ejabberd.yml file disables any starttls connections to
s2s:
>     s2s_use_starttls: false
And this one is redundant:
>     starttls: true

jabber.org, and most public xmpp servers out here, require starttls
secured connections. Some also want a trusted certificate, not just
self-signed one, but it is strangely rare occasion.

If you want to allow only starttls connections to s2s, and you probably
want this on any public xmpp server, use `s2s_use_starttls: required`.

If you want to allow only starttls connections to c2s, use
`starttls_required: true` instead of `starttls: true`. This is not the
best idea for a public xmpp server, since there are old mobile clients
that don't understand any new tls certificate anymore.

As for google talk, there's a tricky detail: it does not require your
domain part of the jid to be in CN/AltNames of the TLS certificate, but
wants the names of your servers there, as in SRV records.
This information is quite old, but I don't think there's any change in
GTalk.

On 06/06/2016 04:53 PM, Randy Bush wrote:
> i have to provide connections to google and jabber.org.
> 
>     ## If TLS is compiled in and you installed a SSL
>     ## certificate, specify the full path to the
>     ## file and uncomment these lines:
>     ##
>     certfile: "/etc/ejabberd/ejabberd.pem"
>     ## starttls: true
>     ##
>     ## To enforce TLS encryption for client connections,
>     ## use this instead of the "starttls" option:
>     ##
>     starttls: true
>     starttls_required: true
> 
> for s2s, i currently have
> 
>     ## s2s_use_starttls: Enable STARTTLS + Dialback for S2S connections.
>     ## Allowed values are: false optional required required_trusted
>     ## You must specify a certificate file.
>     ##
>     #s2s_use_starttls: required
>     s2s_use_starttls: false
> 
>     ##
>     ## s2s_certfile: Specify a certificate file.
>     ##
>     s2s_certfile: "/etc/ejabberd/ejabberd.pem"
> 
>     ## Custom OpenSSL options
>     ##
>     s2s_protocol_options:
>        - "no_sslv3"
>     ##   - "no_tlsv1"
> 
> this allows google but users report no buddies at jabber.org
> 
> anyone understand this better than i?  thanks.
> 
> randy
> _______________________________________________
> ejabberd mailing list
> ejabberd at jabber.ru
> http://lists.jabber.ru/mailman/listinfo/ejabberd
> 


More information about the ejabberd mailing list