STARTTLS support in Loudmouth
Sat down tonight and hacked up a first version of STARTTLS support in Loudmouth. The current version is pretty fragile to anything going wrong so I haven’t landed the code in the 1.3 tree yet. I also plan to do some refactoring required after merging the SASL patch this weekend.After merging this it means that Loudmouth will have support for SASL, STARTTLS and SRV lookup which will let you just use your JID for connecting rather than giving JID, host, port and whether to use SSL or not.Yay!
That’s great! Currently I use gaim for GSSAPI/Kerberos jabber authentication and it would be nice to have other options available.
One implementation gotcha to be aware of. Setting the proper SASL domain.
When the domain portion of your JID != the FQDN of the jabber server and you are doing GSSAPI/Kerberos authentication you should use the FQDN of the jabber server as the SASL domain so that the FQDN is used when to obtain a Kerberos service ticket . Other implementations have initially gotten this wrong and have tried to use the domain portion of the JID.
On the other hand, with the DIGEST-MD5 method, I believe you do want to use the domain portion of the the JID for the SASL domain.
Another thing gaim initially got wrong. When the connection can be authenticated via GSSAPI/Kerberos or another non-password based method the user should not be prompted for a password.
And finally if the jabber server offers the GSSAPI method along with PLAIN (over STARTTLS or SSL) and the client doesn’t not have Kerberos tickets, the client should gracefully fallback to PLAIN auth and prompt the user for a password.