[jdev] SASL question on RFC 3920
Sebastiaan Deckers
cbas at pandion.be
Thu Jan 6 08:26:19 CST 2005
Jens Mikkelsen wrote:
>On Thu, 2005-01-06 at 14:24, Christoph Schmidt wrote:
>
>
>>Jens Mikkelsen schrieb:
>>
>>
>>> ...
>>>What I can't find out is, what SASL exactly does.
>>>
>>>
>>>
>
>
>
>>http://www.ietf.org/rfc/rfc2222.txt
>>
>>
>>
>Actually I looked at the RFC, but I just needed a quick overview of what
>it was, hence I asked here. But I'll guess I'll have to read it.
>
>
In one line: TLS does encryption of the TCP connection, SASL does
authentiction of the IM user.
The login process of an XMPP client using XMPP-1.0 goes as follows:
1. Client makes a normal TCP connection to the XMPP server. This is not
encrypted or anything; just a socket.
2. Client and server exchange some XML so tell eachother that they
support TLS. Still not encrypted.
3. Client and server do TLS handshake so that they can encrypt data over
that socket from then on.
4. Client and server exchange some more XML to authenticate the IM user
with SASL.
SASL is basically a lot of different ways to authenticate. In SASL, a
way to authenticate is called a mechanism.
For example:
- plaintext: just send the password and username
- digest: send the MD5 of some random data + plaintext password
- sspi: Windows authentication
- ... more exist but are used only in specific cases such as for keycard
based authentication or iris scanners or whatever ;-)
Most clients (and servers) only support the first two mechanisms.
Take a look at the XML traffic console of Pandion or Exodus to see TLS
and SASL being used when you log in.
Then compare it with the data that you see in Ethereal or some other
network sniffer. TLS takes place before SASL.
More information about the JDev
mailing list