[jdev] TLS and SASL procedure
Chen, Hao
chenhao927 at gmail.com
Thu Aug 18 07:39:39 CDT 2005
For Gaim, it sends registration related information (password etc.)
after a successful TLS negotiation, so the stream is protected, not in
cleartext I think.
In my previous post, I want to ask if I should let my codes do some
checking after TLS negotiation and before SASL negotiation. Now my
codes start SASL immediately after a successful TLS negotiation and
this is what I understand from the XMPP spec.
On 18/08/05, Matthias Wimmer <m at tthias.net> wrote:
> Hi Chen, Hao,
>
> note that the XMPP spec does not know about jabber:iq:register. You can
> read the RFC that after TLS negotiation you have to login using SASL.
> But is it really what you want to enforce the client? Doing that would
> mean you require the client to register for the new account using an
> unprotected stream, which is very bad as for the registration the
> password is transmitted in clear.
>
>
> Tot kijk
> Matthias
>
> Chen, Hao wrote:
>
> >I am implementing TLS and SASL for JiveMessenger. Gaim Jabber client
> >works very well with my new codes (for those registered account). But,
> >when I use Gaim to register a new account, I find that Gaim will send
> >registration information after a successful TLS negotiation, whereas
> >my codes are expecting SASL negotiation after TLS negotiation.
> >
> >According to the XMPP spec: section 5.1, rule 12, "If the TLS
> >negotiation is successful, the initiating entity MUST continue with
> >SASL negotiation."
> >
> >So, Can I say this problem is not from my codes but Gaim Jabber implementation?
> >
> >Regards
> >
> >
>
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mail.jabber.org/mailman/listinfo/jdev
>
--
Chen, Hao
More information about the JDev
mailing list