[ejabberd] Compliance Tester and XEP-0368

Evgeny Khramtsov xramtsov at gmail.com
Mon Nov 6 15:18:52 MSK 2017


Mon, 6 Nov 2017 12:54:22 +0100
Nk <nk at os.vu> wrote:

> I now have SSLH forwarding c2s connections to 5222 with the
> xmpp-client probe, and HTTP Uploads connections forwarded to 5444
> with the TLS probe and SNI indication for xu.domain.org, but as I
> understand it this is a hack, since port 5223 / XEP 0368 should
> support all traffic on a single port, correct?

Not sure what xmpp-client probe or TLS probe means (is it SSLH
specific?). From what I know ALPN should be configured in SSLH to
dispatch connections correctly.

> Ok I see, is this on the development timeline? Do we know what is
> missing specifically?

Yes, there is a github issue for this.

> Ok thanks I see. This doesn’t really make a difference though since
> connections on port 5269 already require encryption in my
> configuration, right?

Kind of. The only difference is that some server administrators may
prefer to configure xmpps only (for example, for load balancing
purposes).

> I’m still not able to forward TLS service on port 443 with ALPN
> indication over to port 5223 successfully, I don’t think
> Conversations is sending the ALPN indication, so probably I can’t
> really test this at all. I hope my HTTP Uploads “hack” is formally
> correct.
> 
> I still don’t really understand how port 5223 / ALPN and XEP 0368 are
> handled by Conversations or clients in general, so the fact is that I
> don’t really understand where the problem is, let alone how to solve
> it correctly.

I really cannot help you with clients because I have no idea how they
manage ALPN (whether it is Conversations or not). But you can always
use sniffers: ALPN and SNI is a part of TLS Client Hello and is not
encrypted.


More information about the ejabberd mailing list