Project

General

Profile

Force TLS with certain s2s domains

Justin Karneges
Added over 5 years ago

Hi,

How can this be achieved? Between some domains that know about each other, I want to ensure traffic is always encrypted.

Thanks.


Replies (6)

Avatar?id=6023&size=32x32

Added by Artur Hefczyc TigaseTeam over 5 years ago

At the moment (Version 5.2.0 or later) you can set TLS required for a specified domain (the local vhost, this is a part of the vhost configuration option) and there is also a global option to enforce TLS required for the Tigase installation. There is no option to specify whether the encryption is required for a remote domain or a local-remote domain pair.

Added by Justin Karneges over 5 years ago

Local vhost should be enough. I'll just set it in each server configuration.

And it would cover both incoming and outgoing stanzas? For example if I set this flag on one of my vhosts, it would require an inbound remote server connection to present a valid certificate (such that the from address of incoming stanzas cannot be spoofed), and it would also refuse to send stanzas to a remote server that does not present a valid certificate (such that the to address cannot be hijacked) ?

Is there a way to set this per-domain in init.properties? I just want to list a couple of domains and not have it apply to all of them.

Avatar?id=6023&size=32x32

Added by Artur Hefczyc TigaseTeam over 5 years ago

Hm, I am sorry, I just realized that we are talking about s2s here, while the TLS required has been implemented for c2s connections only. Andrzej has done some work on TLS for s2s connections recently, maybe TLS required is available for s2s as well. Let him comment on this.

Added by Andrzej Wójcik IoT 1 CloudTigaseTeam over 5 years ago

I checked if there is an option to turn on TLS required for S2S connections but this is not implemented. TLS required is available only for C2S connections.

Added by Justin Karneges over 3 years ago

It's always fun to google for an answer and find your own posts... ;)

Any update on this?

Avatar?id=6023&size=32x32

Added by Artur Hefczyc TigaseTeam over 3 years ago

I am afraid we did not move this forward yet. Andrzej could you please comment?

    (1-6/6)