From 82b3790f85b9a04598fed5ae08d8307126840c55 Mon Sep 17 00:00:00 2001 From: Badlop Date: Thu, 25 Jun 2009 18:03:29 +0000 Subject: [PATCH] Improve explanation about SSL for port 5223 and its option 'tls'. SVN Revision: 2340 --- doc/guide.html | 12 +++++++++--- doc/guide.tex | 12 +++++++++--- 2 files changed, 18 insertions(+), 6 deletions(-) diff --git a/doc/guide.html b/doc/guide.html index bf51b3ac0..4efcc7a17 100644 --- a/doc/guide.html +++ b/doc/guide.html @@ -751,8 +751,14 @@ No unencrypted connections will be allowed. You should also set the certfile option. You can define a certificate file for a specific domain using the global option domain_certfile.
tls
This option specifies that traffic on -the port will be encrypted using SSL immediately after connecting. You -should also set the certfile option. +the port will be encrypted using SSL immediately after connecting. +This was the traditional encryption method in the early Jabber software, +commonly on port 5223 for client-to-server communications. +But this method is nowadays deprecated and not recommended. +The preferable encryption method is STARTTLS on port 5222, as defined +RFC 3920: XMPP Core, +which can be enabled in ejabberd with the option starttls. +If this option is set, you should also set the certfile option.
web_admin
This option enables the Web Admin for ejabberd administration which is available at http://server:port/admin/. Login and password are the username and @@ -762,7 +768,7 @@ password of one of the registered users who are granted access by the option specifies that Zlib stream compression (as defined in XEP-0138) is available on connections to the port. Client connections cannot use stream compression and stream encryption simultaneously. Hence, if you -specify both tls (or ssl) and zlib, the latter +specify both starttls (or tls) and zlib, the latter option will not affect connections (there will be no stream compression).

There are some additional global options that can be specified in the ejabberd configuration file (outside listen):

diff --git a/doc/guide.tex b/doc/guide.tex index 5c7aa1027..9a00a964b 100644 --- a/doc/guide.tex +++ b/doc/guide.tex @@ -884,8 +884,14 @@ This is a detailed description of each option allowed by the listening modules: You should also set the \option{certfile} option. You can define a certificate file for a specific domain using the global option \option{domain\_certfile}. \titem{tls} \ind{options!tls}\ind{TLS}This option specifies that traffic on - the port will be encrypted using SSL immediately after connecting. You - should also set the \option{certfile} option. + the port will be encrypted using SSL immediately after connecting. + This was the traditional encryption method in the early Jabber software, + commonly on port 5223 for client-to-server communications. + But this method is nowadays deprecated and not recommended. + The preferable encryption method is STARTTLS on port 5222, as defined + \footahref{http://www.xmpp.org/specs/rfc3920.html\#tls}{RFC 3920: XMPP Core}, + which can be enabled in \ejabberd{} with the option \term{starttls}. + If this option is set, you should also set the \option{certfile} option. \titem{web\_admin} \ind{options!web\_admin}\ind{web admin}This option enables the Web Admin for \ejabberd{} administration which is available at \verb|http://server:port/admin/|. Login and password are the username and @@ -895,7 +901,7 @@ This is a detailed description of each option allowed by the listening modules: option specifies that Zlib stream compression (as defined in \xepref{0138}) is available on connections to the port. Client connections cannot use stream compression and stream encryption simultaneously. Hence, if you - specify both \option{tls} (or \option{ssl}) and \option{zlib}, the latter + specify both \option{starttls} (or \option{tls}) and \option{zlib}, the latter option will not affect connections (there will be no stream compression). \end{description}