You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@mina.apache.org by "Bernd Fondermann (JIRA)" <ji...@apache.org> on 2011/06/28 18:30:16 UTC

[jira] [Created] (VYSPER-288) Announcing in-band registration also StartTLS might be required (first)

Announcing in-band registration also StartTLS might be required (first)
-----------------------------------------------------------------------

                 Key: VYSPER-288
                 URL: https://issues.apache.org/jira/browse/VYSPER-288
             Project: VYSPER
          Issue Type: Bug
            Reporter: Bernd Fondermann
            Priority: Blocker


Right now, in-band registration is announced before a mandatory switch to TLS has been accomplished.
I think we should not do that. However, I don't know if the feature still works over TLS. But I'd strongly suspect so, because, hey, it's a registration.

After crossreading XEP-0077, I don't see why we should allow for doing regs over an unencrypted wire.

WDYT?

(Marking as a blocker, because of potential security implifications. However, in-band is not enabled by default, is it?)

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (VYSPER-288) Announcing in-band registration although StartTLS might be required (first)

Posted by "Niklas Gustavsson (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/VYSPER-288?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13056747#comment-13056747 ] 

Niklas Gustavsson commented on VYSPER-288:
------------------------------------------

I've already created a patch and it works just fine with libpurple and Psi, so I say we go for it. 

Also, I think we should allow in-band regs on servers where TLS has been disabled, similar to plain auth. But I'll leave that to you're other work.

> Announcing in-band registration although StartTLS might be required (first)
> ---------------------------------------------------------------------------
>
>                 Key: VYSPER-288
>                 URL: https://issues.apache.org/jira/browse/VYSPER-288
>             Project: VYSPER
>          Issue Type: Bug
>            Reporter: Bernd Fondermann
>            Priority: Blocker
>
> Right now, in-band registration is announced before a mandatory switch to TLS has been accomplished.
> I think we should not do that. However, I don't know if the feature still works over TLS. But I'd strongly suspect so, because, hey, it's a registration.
> After crossreading XEP-0077, I don't see why we should allow for doing regs over an unencrypted wire.
> WDYT?
> (Marking as a blocker, because of potential security implications. However, in-band is not enabled by default, is it?)

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Closed] (VYSPER-288) Announcing in-band registration although StartTLS might be required (first)

Posted by "Niklas Gustavsson (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/VYSPER-288?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Niklas Gustavsson closed VYSPER-288.
------------------------------------

       Resolution: Fixed
    Fix Version/s: 0.8
         Assignee: Niklas Gustavsson

Fixed in rev 1142805

> Announcing in-band registration although StartTLS might be required (first)
> ---------------------------------------------------------------------------
>
>                 Key: VYSPER-288
>                 URL: https://issues.apache.org/jira/browse/VYSPER-288
>             Project: VYSPER
>          Issue Type: Bug
>            Reporter: Bernd Fondermann
>            Assignee: Niklas Gustavsson
>            Priority: Blocker
>             Fix For: 0.8
>
>
> Right now, in-band registration is announced before a mandatory switch to TLS has been accomplished.
> I think we should not do that. However, I don't know if the feature still works over TLS. But I'd strongly suspect so, because, hey, it's a registration.
> After crossreading XEP-0077, I don't see why we should allow for doing regs over an unencrypted wire.
> WDYT?
> (Marking as a blocker, because of potential security implications. However, in-band is not enabled by default, is it?)

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (VYSPER-288) Announcing in-band registration although StartTLS might be required (first)

Posted by "Bernd Fondermann (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/VYSPER-288?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13056742#comment-13056742 ] 

Bernd Fondermann commented on VYSPER-288:
-----------------------------------------

+1. If you can tackle this, I'll be standing by. I won't get to it immediately, but know what to do.

> Announcing in-band registration although StartTLS might be required (first)
> ---------------------------------------------------------------------------
>
>                 Key: VYSPER-288
>                 URL: https://issues.apache.org/jira/browse/VYSPER-288
>             Project: VYSPER
>          Issue Type: Bug
>            Reporter: Bernd Fondermann
>            Priority: Blocker
>
> Right now, in-band registration is announced before a mandatory switch to TLS has been accomplished.
> I think we should not do that. However, I don't know if the feature still works over TLS. But I'd strongly suspect so, because, hey, it's a registration.
> After crossreading XEP-0077, I don't see why we should allow for doing regs over an unencrypted wire.
> WDYT?
> (Marking as a blocker, because of potential security implications. However, in-band is not enabled by default, is it?)

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Updated] (VYSPER-288) Announcing in-band registration although StartTLS might be required (first)

Posted by "Bernd Fondermann (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/VYSPER-288?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Bernd Fondermann updated VYSPER-288:
------------------------------------

    Description: 
Right now, in-band registration is announced before a mandatory switch to TLS has been accomplished.
I think we should not do that. However, I don't know if the feature still works over TLS. But I'd strongly suspect so, because, hey, it's a registration.

After crossreading XEP-0077, I don't see why we should allow for doing regs over an unencrypted wire.

WDYT?

(Marking as a blocker, because of potential security implications. However, in-band is not enabled by default, is it?)

  was:
Right now, in-band registration is announced before a mandatory switch to TLS has been accomplished.
I think we should not do that. However, I don't know if the feature still works over TLS. But I'd strongly suspect so, because, hey, it's a registration.

After crossreading XEP-0077, I don't see why we should allow for doing regs over an unencrypted wire.

WDYT?

(Marking as a blocker, because of potential security implifications. However, in-band is not enabled by default, is it?)


> Announcing in-band registration although StartTLS might be required (first)
> ---------------------------------------------------------------------------
>
>                 Key: VYSPER-288
>                 URL: https://issues.apache.org/jira/browse/VYSPER-288
>             Project: VYSPER
>          Issue Type: Bug
>            Reporter: Bernd Fondermann
>            Priority: Blocker
>
> Right now, in-band registration is announced before a mandatory switch to TLS has been accomplished.
> I think we should not do that. However, I don't know if the feature still works over TLS. But I'd strongly suspect so, because, hey, it's a registration.
> After crossreading XEP-0077, I don't see why we should allow for doing regs over an unencrypted wire.
> WDYT?
> (Marking as a blocker, because of potential security implications. However, in-band is not enabled by default, is it?)

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Updated] (VYSPER-288) Announcing in-band registration although StartTLS might be required (first)

Posted by "Bernd Fondermann (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/VYSPER-288?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Bernd Fondermann updated VYSPER-288:
------------------------------------

    Summary: Announcing in-band registration although StartTLS might be required (first)  (was: Announcing in-band registration also StartTLS might be required (first))

> Announcing in-band registration although StartTLS might be required (first)
> ---------------------------------------------------------------------------
>
>                 Key: VYSPER-288
>                 URL: https://issues.apache.org/jira/browse/VYSPER-288
>             Project: VYSPER
>          Issue Type: Bug
>            Reporter: Bernd Fondermann
>            Priority: Blocker
>
> Right now, in-band registration is announced before a mandatory switch to TLS has been accomplished.
> I think we should not do that. However, I don't know if the feature still works over TLS. But I'd strongly suspect so, because, hey, it's a registration.
> After crossreading XEP-0077, I don't see why we should allow for doing regs over an unencrypted wire.
> WDYT?
> (Marking as a blocker, because of potential security implifications. However, in-band is not enabled by default, is it?)

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

[jira] [Commented] (VYSPER-288) Announcing in-band registration although StartTLS might be required (first)

Posted by "Niklas Gustavsson (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/VYSPER-288?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13056733#comment-13056733 ] 

Niklas Gustavsson commented on VYSPER-288:
------------------------------------------

Depending on what we mean by default, it is enabled in org.apache.vysper.xmpp.server.ServerMain. I would support removing it as enabled in that class, as well as only support it over TLS (if that works with the common clients). Let me know if you want me to work on this.

> Announcing in-band registration although StartTLS might be required (first)
> ---------------------------------------------------------------------------
>
>                 Key: VYSPER-288
>                 URL: https://issues.apache.org/jira/browse/VYSPER-288
>             Project: VYSPER
>          Issue Type: Bug
>            Reporter: Bernd Fondermann
>            Priority: Blocker
>
> Right now, in-band registration is announced before a mandatory switch to TLS has been accomplished.
> I think we should not do that. However, I don't know if the feature still works over TLS. But I'd strongly suspect so, because, hey, it's a registration.
> After crossreading XEP-0077, I don't see why we should allow for doing regs over an unencrypted wire.
> WDYT?
> (Marking as a blocker, because of potential security implications. However, in-band is not enabled by default, is it?)

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira