If the Target is able to open a TCP socket on a StreamHost, it MUST utilize the SOCKS5 protocol specified in &rfc1928; to establish the connection with the StreamHost. In accordance with the SOCKS5 RFC, the Target MAY have to authenticate in order to use the proxy. However, any authentication required is beyond the scope of this document.
-Once the Target has successfully authenticated with the Proxy (even anonymously), it SHOULD send a CONNECT request to a host named: SHA1(SID + Initiator JID + Target JID), port 0, where the SHA1 hashing algorithm is specified by &rfc3174;. The JIDs provided MUST be full JIDs (i.e., <user@host/resource>); furthermore, in order to ensure proper results, the appropriate stringprep profiles (as specified in &xmppcore;) MUST be applied to the JIDs before application of the SHA1 hashing algorithm.
+Once the Target has successfully authenticated with the Proxy (even anonymously), it SHOULD send a CONNECT request to the appropriate host in order to continue the negotiation. The following rules apply:
+When replying to the client in accordance with Section 6 of RFC 1928, the StreamHost SHOULD set the BND.ADDR and BND.PORT to the values provided by the client in the connection request.
After the Target has authenticated with the StreamHost, it MUST send an IQ-result to the Initiator indicating which StreamHost was used.
@@ -418,7 +426,16 @@ STATUS = X'00' the Target.If the StreamHost used is a Proxy, the Initiator MUST authenticate and establish a connection with the StreamHost before requesting that the StreamHost activate bytestream. The Initiator will establish a connection to the SOCKS5 proxy in the same way the Target did, passing the same value for the CONNECT request.
+If the StreamHost used is a Proxy, the Initiator MUST authenticate and establish a connection with the StreamHost before requesting that the StreamHost activate bytestream. The Initiator will establish a connection to the SOCKS5 proxy in the same way the Target did (passing the same value for the CONNECT request), as shown in the following examples.
+In order for the bytestream to be used, it MUST first be activated by the StreamHost. If the StreamHost is the Initiator, this is straightforward and does not require any in-band protocol. However, if the StreamHost is a Proxy, the Initiator MUST send an in-band request to the StreamHost. This is done by sending an IQ-set to the Proxy, including an <activate/> element whose XML character data specifies the full JID of the Target.
@@ -439,10 +456,6 @@ STATUS = X'00' from='proxy.host3' to='initiator@host1/foo' id='activate'/> - ]]> -The Proxy MUST then send SOCKS5 acknowledgement of the connection to the Target.
-If the Proxy cannot fulfill the request, it MUST return an IQ-error to the Initiator; the following conditions are defined:
| Parameter | Value |
|---|---|
| CMD | 1 (CONNECT) |
| ATYP | 1 (IP V4), 3 (DOMAINNAME), or 4 (IP V6) |
| ATYP | Hardcoded to 3 (DOMAINNAME) in this usage |
| DST.ADDR | SHA1 Hash of: (SID + Initiator JID + Target JID) |
| DST.PORT | 0 |
| Parameter | Value |
|---|---|
| CMD | 3 (UDP ASSOCIATE) |
| ATYP | 1 (IP V4), 3 (DOMAINNAME), or 4 (IP V6) |
| ATYP | Hardcoded to 3 (DOMAINNAME) in this usage |
| DST.ADDR | SHA1 Hash of: (SID + Initiator JID + Target JID) |
| DST.PORT | 0 |
| Parameter | Value |
|---|---|
| ATYP | 1 (IP V4), 3 (DOMAINNAME), or 4 (IP V6) |
| ATYP | Hardcoded to 3 (DOMAINNAME) in this usage |
| DST.ADDR | SHA1 Hash of: (SID + Initiator JID + Target JID) |
| DST.PORT | 0 or 1, for payload or initialization packets, respectively. |