Hi all,
I just installed ejabberd (2.0.1) on Debian and I'm planning to migrate
several old (very old - I hate them) jabberd2 and jabberd1 domains to it.

No, I see by default on Debian there's a self signed certificate in
/etc/ejabberd/ejabberd.pem and by default starttls is true. Will that
make me problems with s2s operation?

Should I disable s2s_use_starttls?


--
damjan | дамјан
This is my jabber ID --> damjan (AT) bagra (DOT) net.mk
-- not my mail address, it's a Jabber ID --^ :)
_______________________________________________
JAdmin mailing list
FAQ: http://www.jabber.org/discussion-lists/jadmin-faq
Forum: http://www.jabberforum.org/forumdisplay.php?f=19
Info: http://mail.jabber.org/mailman/listinfo/jadmin
Unsubscribe: JAdmin-unsubscribe (AT) jabber (DOT) org
_______________________________________________

Damjan wrote:
> Hi all,
> I just installed ejabberd (2.0.1) on Debian and I'm planning to migrate
> several old (very old - I hate them) jabberd2 and jabberd1 domains to it.
>
> No, I see by default on Debian there's a self signed certificate in
> /etc/ejabberd/ejabberd.pem and by default starttls is true. Will that
> make me problems with s2s operation?

No, but you can get a free CA-issued cert here:

http://xmpp.org/ca/

> Should I disable s2s_use_starttls?

Not really. Most server implementations will try TLS and use it if
possible, but if they don't like your cert they'll just default to
server dialback. So there's no harm in trying. :)

Peter

--
Peter Saint-Andre
https://stpeter.im/


_______________________________________________
JAdmin mailing list
FAQ: http://www.jabber.org/discussion-lists/jadmin-faq
Forum: http://www.jabberforum.org/forumdisplay.php?f=19
Info: http://mail.jabber.org/mailman/listinfo/jadmin
Unsubscribe: JAdmin-unsubscribe (AT) jabber (DOT) org
_______________________________________________

> No, but you can get a free CA-issued cert here:
>
> http://xmpp.org/ca/

I have 2 questions,

1. will the xmpp clients trust this certificate by default?


2. on the page http://xmpp.org/ca/installation.shtml it's suggested to
download http://cert.startcom.org/sub.class1.xmpp.ca.crt and
http://cert.startcom.org/ca.crt
shouldn't those certificates be served over https?



--
damjan | дамјан
This is my jabber ID --> damjan (AT) bagra (DOT) net.mk
-- not my mail address, it's a Jabber ID --^ :)
_______________________________________________
JAdmin mailing list
FAQ: http://www.jabber.org/discussion-lists/jadmin-faq
Forum: http://www.jabberforum.org/forumdisplay.php?f=19
Info: http://mail.jabber.org/mailman/listinfo/jadmin
Unsubscribe: JAdmin-unsubscribe (AT) jabber (DOT) org
_______________________________________________

On 13/11/2008, at 4:56 AM, Damjan wrote:

>> No, but you can get a free CA-issued cert here:
>>
>> http://xmpp.org/ca/
>
> I have 2 questions,
>
> 1. will the xmpp clients trust this certificate by default?
>

Yes.

>
> 2. on the page http://xmpp.org/ca/installation.shtml it's suggested to
> download http://cert.startcom.org/sub.class1.xmpp.ca.crt and
> http://cert.startcom.org/ca.crt
> shouldn't those certificates be served over https?
>

No it doesn't matter really, if you're thinking about public key
crypto then it's the private key that's always kept secure(private),
public keys and certs are, well public.

>
>
> --
> damjan | дамјан
> This is my jabber ID --> damjan (AT) bagra (DOT) net.mk
> -- not my mail address, it's a Jabber ID --^ :)
> _______________________________________________
> JAdmin mailing list
> FAQ: http://www.jabber.org/discussion-lists/jadmin-faq
> Forum: http://www.jabberforum.org/forumdisplay.php?f=19
> Info: http://mail.jabber.org/mailman/listinfo/jadmin
> Unsubscribe: JAdmin-unsubscribe (AT) jabber (DOT) org
> _______________________________________________

David Banes
Director & Secretary, Internet Industry Association
Director & Chairman, XMPP Standards Foundation
web: http://davidbanes.com/
work: http://www.cleartext.com/
email: david (AT) banes (DOT) org
xmpp: dbanes (AT) jabber (DOT) org

--------------------------------------------------------------------------------------------------------
Email Filtering by Cleartext a Carbon Minimsed company - www.cleartext.com
--------------------------------------------------------------------------------------------------------
_______________________________________________
JAdmin mailing list
FAQ: http://www.jabber.org/discussion-lists/jadmin-faq
Forum: http://www.jabberforum.org/forumdisplay.php?f=19
Info: http://mail.jabber.org/mailman/listinfo/jadmin
Unsubscribe: JAdmin-unsubscribe (AT) jabber (DOT) org
_______________________________________________

Damjan wrote:
>> No, but you can get a free CA-issued cert here:
>>
>> http://xmpp.org/ca/
>
> I have 2 questions,
>
> 1. will the xmpp clients trust this certificate by default?

Which clients? Most of the bigger clients trust the cert by default, but
it's possible that some of the smaller or older clients do not.

> 2. on the page http://xmpp.org/ca/installation.shtml it's suggested to
> download http://cert.startcom.org/sub.class1.xmpp.ca.crt and
> http://cert.startcom.org/ca.crt
> shouldn't those certificates be served over https?

It's probably a good idea. I've passed that suggestion along to the
folks at StartCom.

Peter

--
Peter Saint-Andre
https://stpeter.im/


_______________________________________________
JAdmin mailing list
FAQ: http://www.jabber.org/discussion-lists/jadmin-faq
Forum: http://www.jabberforum.org/forumdisplay.php?f=19
Info: http://mail.jabber.org/mailman/listinfo/jadmin
Unsubscribe: JAdmin-unsubscribe (AT) jabber (DOT) org
_______________________________________________

David Banes wrote:
> On 13/11/2008, at 4:56 AM, Damjan wrote:
>
>> 2. on the page http://xmpp.org/ca/installation.shtml it's suggested to
>> download http://cert.startcom.org/sub.class1.xmpp.ca.crt and
>> http://cert.startcom.org/ca.crt
>> shouldn't those certificates be served over https?
>
> No it doesn't matter really, if you're thinking about public key
> crypto then it's the private key that's always kept secure(private),
> public keys and certs are, well public.

However, you can retrieve those files via https so I could adjust the
links if desired.

/psa

_______________________________________________
JAdmin mailing list
FAQ: http://www.jabber.org/discussion-lists/jadmin-faq
Forum: http://www.jabberforum.org/forumdisplay.php?f=19
Info: http://mail.jabber.org/mailman/listinfo/jadmin
Unsubscribe: JAdmin-unsubscribe (AT) jabber (DOT) org
_______________________________________________

> > 2. on the page http://xmpp.org/ca/installation.shtml it's suggested to
> > download http://cert.startcom.org/sub.class1.xmpp.ca.crt and
> > http://cert.startcom.org/ca.crt
> > shouldn't those certificates be served over https?
> >
>
> No it doesn't matter really, if you're thinking about public key
> crypto then it's the private key that's always kept secure(private),
> public keys and certs are, well public.

They are public, but I wouldn't like a MIM to replace them while I'm
downloading them no?



--
damjan | дамјан
This is my jabber ID --> damjan (AT) bagra (DOT) net.mk
-- not my mail address, it's a Jabber ID --^ :)
_______________________________________________
JAdmin mailing list
FAQ: http://www.jabber.org/discussion-lists/jadmin-faq
Forum: http://www.jabberforum.org/forumdisplay.php?f=19
Info: http://mail.jabber.org/mailman/listinfo/jadmin
Unsubscribe: JAdmin-unsubscribe (AT) jabber (DOT) org
_______________________________________________

> >> No, but you can get a free CA-issued cert here:
> >>
> >> http://xmpp.org/ca/
> >
> > I have 2 questions,
> >
> > 1. will the xmpp clients trust this certificate by default?
>
> Which clients? Most of the bigger clients trust the cert by default, but
> it's possible that some of the smaller or older clients do not.

Well, I personally use psi, but I have no idea what the users are using.
I've seen Miranda, Pidgin, Psi, Kopete, iChat (those are that I know).



--
damjan | дамјан
This is my jabber ID --> damjan (AT) bagra (DOT) net.mk
-- not my mail address, it's a Jabber ID --^ :)
_______________________________________________
JAdmin mailing list
FAQ: http://www.jabber.org/discussion-lists/jadmin-faq
Forum: http://www.jabberforum.org/forumdisplay.php?f=19
Info: http://mail.jabber.org/mailman/listinfo/jadmin
Unsubscribe: JAdmin-unsubscribe (AT) jabber (DOT) org
_______________________________________________

Damjan wrote:
>>>> No, but you can get a free CA-issued cert here:
>>>>
>>>> http://xmpp.org/ca/
>>> I have 2 questions,
>>>
>>> 1. will the xmpp clients trust this certificate by default?
>> Which clients? Most of the bigger clients trust the cert by default, but
>> it's possible that some of the smaller or older clients do not.
>
> Well, I personally use psi, but I have no idea what the users are using.
> I've seen Miranda, Pidgin, Psi, Kopete, iChat (those are that I know).

I know Psi supports it but that's my primary client and I don't test
many others. It also works fine in iChat on Leopard because the StartCom
root certs are included by default in OS X now. Whether it works in
other clients may depend on the underlying OS. I'd be happy to ask
developers on those projects about their support for these certs.

Peter

--
Peter Saint-Andre
https://stpeter.im/

_______________________________________________
JAdmin mailing list
FAQ: http://www.jabber.org/discussion-lists/jadmin-faq
Forum: http://www.jabberforum.org/forumdisplay.php?f=19
Info: http://mail.jabber.org/mailman/listinfo/jadmin
Unsubscribe: JAdmin-unsubscribe (AT) jabber (DOT) org
_______________________________________________

Peter Saint-Andre wrote:
> David Banes wrote:
>> On 13/11/2008, at 4:56 AM, Damjan wrote:
>>
>>> 2. on the page http://xmpp.org/ca/installation.shtml it's suggested to
>>> download http://cert.startcom.org/sub.class1.xmpp.ca.crt and
>>> http://cert.startcom.org/ca.crt
>>> shouldn't those certificates be served over https?
>> No it doesn't matter really, if you're thinking about public key
>> crypto then it's the private key that's always kept secure(private),
>> public keys and certs are, well public.
>
> However, you can retrieve those files via https so I could adjust the
> links if desired.

Done.

Peter

--
Peter Saint-Andre
https://stpeter.im/

_______________________________________________
JAdmin mailing list
FAQ: http://www.jabber.org/discussion-lists/jadmin-faq
Forum: http://www.jabberforum.org/forumdisplay.php?f=19
Info: http://mail.jabber.org/mailman/listinfo/jadmin
Unsubscribe: JAdmin-unsubscribe (AT) jabber (DOT) org
_______________________________________________