mina-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Niklas Gustavsson (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (VYSPER-288) Announcing in-band registration although StartTLS might be required (first)
Date Tue, 28 Jun 2011 20:12:17 GMT

    [ https://issues.apache.org/jira/browse/VYSPER-288?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13056733#comment-13056733
] 

Niklas Gustavsson commented on VYSPER-288:
------------------------------------------

Depending on what we mean by default, it is enabled in org.apache.vysper.xmpp.server.ServerMain.
I would support removing it as enabled in that class, as well as only support it over TLS
(if that works with the common clients). Let me know if you want me to work on this.

> Announcing in-band registration although StartTLS might be required (first)
> ---------------------------------------------------------------------------
>
>                 Key: VYSPER-288
>                 URL: https://issues.apache.org/jira/browse/VYSPER-288
>             Project: VYSPER
>          Issue Type: Bug
>            Reporter: Bernd Fondermann
>            Priority: Blocker
>
> Right now, in-band registration is announced before a mandatory switch to TLS has been
accomplished.
> I think we should not do that. However, I don't know if the feature still works over
TLS. But I'd strongly suspect so, because, hey, it's a registration.
> After crossreading XEP-0077, I don't see why we should allow for doing regs over an unencrypted
wire.
> WDYT?
> (Marking as a blocker, because of potential security implications. However, in-band is
not enabled by default, is it?)

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message