mirror of
https://github.com/moparisthebest/xeps
synced 2024-11-27 11:42:17 -05:00
90 lines
6.6 KiB
XML
90 lines
6.6 KiB
XML
<?xml version='1.0' encoding='UTF-8'?>
|
|
<!DOCTYPE xep SYSTEM 'xep.dtd' [
|
|
<!ENTITY % ents SYSTEM 'xep.ent'>
|
|
%ents;
|
|
<!ENTITY rfc7301 "<span class='ref'><link url='https://tools.ietf.org/html/rfc7301'>RFC 7301</link></span> <note>RFC 7301: Transport Layer Security (TLS) Application-Layer Protocol Negotiation Extension <<link url='https://tools.ietf.org/html/rfc7301'>https://tools.ietf.org/html/rfc7301</link>>.</note>" >
|
|
<!ENTITY rfc7590 "<span class='ref'><link url='https://tools.ietf.org/html/rfc7590'>RFC 7590</link></span> <note>RFC 7590: Use of Transport Layer Security (TLS) in the
|
|
Extensible Messaging and Presence Protocol (XMPP) <<link url='https://tools.ietf.org/html/rfc7590'>https://tools.ietf.org/html/rfc7590</link>>.</note>" >
|
|
]>
|
|
<?xml-stylesheet type='text/xsl' href='xep.xsl'?>
|
|
<xep>
|
|
<header>
|
|
<title>SRV records for XMPP over TLS</title>
|
|
<abstract>This specification defines a procedure to look up xmpps-client/xmpps-server SRV records (for TLS connections) in addition to xmpp-client/xmpp-server and mix weights/priorities.</abstract>
|
|
&LEGALNOTICE;
|
|
<number>0368</number>
|
|
<status>Experimental</status>
|
|
<type>Standards Track</type>
|
|
<sig>Standards</sig>
|
|
<approver>Council</approver>
|
|
<dependencies>
|
|
<spec>XMPP Core</spec>
|
|
<spec>RFC 2782</spec>
|
|
</dependencies>
|
|
<supersedes/>
|
|
<supersededby/>
|
|
<shortname>NOT_YET_ASSIGNED</shortname>
|
|
<author>
|
|
<firstname>Travis</firstname>
|
|
<surname>Burtrum</surname>
|
|
<email>travis@burtrum.org</email>
|
|
<jid>travis@burtrum.org</jid>
|
|
</author>
|
|
<revision>
|
|
<version>0.1</version>
|
|
<date>2015-12-15</date>
|
|
<initials>XEP Editor (asw)</initials>
|
|
<remark><p>Initial published version approved by the XMPP Council.</p></remark>
|
|
</revision>
|
|
<revision>
|
|
<version>0.0.2</version>
|
|
<date>2015-12-15</date>
|
|
<initials>tjb</initials>
|
|
<remark><p>tls proto to tcp, change service instead. Set SNI correctly.</p></remark>
|
|
</revision>
|
|
<revision>
|
|
<version>0.0.1</version>
|
|
<date>2015-10-31</date>
|
|
<initials>psa</initials>
|
|
<remark><p>First draft.</p></remark>
|
|
</revision>
|
|
</header>
|
|
<section1 topic='Introduction' anchor='intro'>
|
|
<p>&xmppcore; specifies the use of xmpp-client/xmpp-server SRV records as the method of discovering how to connect to an XMPP server. This XEP extends that to include new xmpps-client/xmpps-server SRV records pointing to TLS ports and combine priorities and weights as if they were a single SRV record. Applied to both xmpps-client and xmpps-server SRV records, this provides the opportunity to connect to XMPP servers with at least equal and perhaps increased security and privacy over using STARTTLS. It also provides an easy way for clients to bypass restrictive firewalls that only allow HTTPS, and for servers to host multiple protocols/services on a single port.</p>
|
|
</section1>
|
|
<section1 topic='Requirements' anchor='reqs'>
|
|
<p>The following format for DNS SRV resource records is specified in &rfc2782;:</p>
|
|
<code><![CDATA[
|
|
_service._proto.name. TTL class SRV priority weight port target.
|
|
]]></code>
|
|
<p><cite>XMPP Core</cite> defines SRV records only where 'service' is 'xmpp-client' and 'xmpp-server'. This document specifies to additionally look up records where 'service' is 'xmpps-client' and 'xmpps-server'. This document specifies that the following additional rules apply:</p>
|
|
<ol>
|
|
<li>Treat both 'xmpp-' and 'xmpps-' records as the same record with regard to connection order as specified by <cite>RFC 2782</cite>, in that all priorities and weights are mixed. (so the server operator can decide if they would rather clients connect to tcp with STARTTLS or just with TLS directly)</li>
|
|
<li>Where 'service' starts with 'xmpps-' the client or server MUST connect with TLS enabled.</li>
|
|
<li>Where 'service' starts with 'xmpp-' the client or server MUST NOT connect with TLS enabled, connection method is unchanged from <cite>XMPP Core</cite>.</li>
|
|
<li>TLS certificates MUST be validated the same way as for STARTTLS. (i.e., as specified in <cite>XMPP Core</cite>).</li>
|
|
<li>STARTTLS MUST NOT be used over TLS connections.</li>
|
|
<li>Client or server SHOULD set SNI TLS extension to the JID's domain part.</li>
|
|
<li>Client or server SHOULD set the ALPN (&rfc7301;) TLS extension.</li>
|
|
<li>When ALPN is used protocol MUST be 'xmpp-client' where 'xmpps-client' is the SRV 'service'.</li>
|
|
<li>When ALPN is used protocol MUST be 'xmpp-server' where 'xmpps-server' is the SRV 'service'.</li>
|
|
</ol>
|
|
</section1>
|
|
<section1 topic='Use Cases' anchor='usecases'>
|
|
<p>For server operators, this provides a way to host multiple services on the same port, especially when SNI or ALPN extensions are used. Servers could even host xmpp-client and xmpp-server services on the same TLS port. For clients, this provides a virtually zero overhead way to bypass restrictive firewalls that only allow HTTP over port 80 and HTTPS over port 443, as xmpp-over-tls is indistinguishable from http-over-tls when ALPN is not used.</p>
|
|
</section1>
|
|
<section1 topic='Implementation Notes' anchor='impl'>
|
|
<p>The only overhead is the single additional SRV lookup. All clients that support STARTTLS already have support for TLS-over-tcp.</p>
|
|
<p>Server operators should not expect multiplexing to work in all scenarios and therefore should provide additional SRV record(s) that do not require multiplexing (either standard STARTTLS or dedicated XMPP-over-TLS). This is a result of relying on ALPN for multiplexing, where ALPN might not be supported by all devices or may be disabled by a user due to privacy reasons.</p>
|
|
</section1>
|
|
<section1 topic='Security Considerations' anchor='security'>
|
|
<p>TLS provides AT LEAST the same level of security as STARTTLS, and more privacy without ALPN as using STARTTLS leaks that the underlying protocol is XMPP, while any TLS stream should be indistinguishable from any other TLS stream. TLS provides more security than STARTTLS if &rfc7590; is not followed, as it isn't subject to STARTTLS stripping. All security setup and certificate validation code SHOULD be shared between the STARTTLS and TLS logic as well.</p>
|
|
</section1>
|
|
<section1 topic='IANA Considerations' anchor='iana'>
|
|
<p>ALPN (<cite>RFC 7301</cite>) requires registration of the new Protocol IDs, 'xmpp-client' and 'xmpp-server', specified in this document. The registry is currently located <link url='https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids'>here</link></p>
|
|
</section1>
|
|
<section1 topic='XMPP Registrar Considerations' anchor='registrar'>
|
|
<p>There are no XMPP Registrar Considerations.</p>
|
|
</section1>
|
|
</xep>
|