Topic Last Modified: 2012-10-21

The settings for the negotiation types in the configuration of an XMPP Partner have a wide variety of possible combinations. Not all of these combinations are valid. The table detailed in this topic will define the valid and not valid settings. Common configurations are presented in the first table, the second table detailing all possible combinations. Note that you cannot have Simple Authentication and Security Layer (SASL) unless Transport Layer Security (TLS) is also available. SASL is sent in an unencrypted (readable) format and should never be transmitted unless protected by another means, such as TLS.

Common XMPP Federation Negotiation Methods

Transport Layer Security (TLS) Simple Authentication and Security Layer (SASL) Dialback Authentication Expected Authentication Method(s) Notes

Required

Required

False

SASL over TLS

TLS and SASL required helps to ensure that the SASL message stream is secure. Dialback is not available and cannot be used for a fallback method if the XMPP federated partner has not set TLS to required or optional.

Required

Optional

True

SASL over TLS, TLS Dialback, TCP Dialback

By requiring TLS, if the XMPP federated partner has set SASL to optional or required SASL is used. If SASL is not available, Dialback over TLS will be used.

Optional

Optional

True

SASL over TLS, TLS Dialback, TCP Dialback

While very flexible in the negotiation methods offered, these settings rely on the XMPP federation partner’s settings. If the partner has TLS optional or required but SASL is not supported, TLS Dialback will be available. If the partner has TLS and SASL set to optional or required, the optimal selection of TLS over SASL is used.

Not Supported

Not Supported

True

TCP Dialback

In many cases, TCP Dialback is the only possible solution. Less desirable than other options, it does provide some level of trust.

XMPP Federation Negotiation Methods Matrix - Complete

Transport Layer Security (TLS) Simple Authentication and Security Layer (SASL) Dialback Authentication Expected Authentication Method Notes, Warning or Error for Not Valid Configuration

Required

Required

True

SASL over TLS

Warning:
Dialback will not operate if both SASL and TLS are required.

Required

Required

False

SASL over TLS

Optional

Required

True

SASL over TLS, TLS Dialback, TCP Dialback

Warning:
SASL requires TLS. Allowing TLS to be optional may result in failed session negotiations.

Optional

Required

False

SASL over TLS

Warning:
SASL requires TLS. Allowing TLS to be optional may result in failed session negotiations.

Not Supported

Required

True

TCP Dialback

Warning:
SASL requires TLS. Allowing TLS to be optional may result in failed session negotiations.

Not Supported

Required

False

Warning:
Not Valid Configuration
Warning:
Because SASL requires TLS, and TLS is not available, SASL/TLS cannot succeed. TCP Dialback is set to false, and cannot be used.

Required

Optional

True

SASL over TLS, TLS Dialback

Required

Optional

False

SASL over TLS

Optional

Optional

True

SASL over TLS, TLS Dialback, TCP Dialback

Warning:
SASL requires TLS. Allowing TLS to be optional may result in failed session negotiations.

Optional

Optional

False

SASL over TLS

Warning:
SASL requires TLS. Allowing TLS to be optional may result in failed session negotiations.

Not Supported

Optional

True

TCP Dialback

Warning:
SASL requires TLS. Allowing TLS to be optional may result in failed session negotiations.

Not Supported

Optional

False

Warning:
Not Valid Configuration
Warning:
SASL requires TLS. Allowing TLS to be optional may result in failed session negotiations.

Required

Not Supported

True

TLS Dialback

Configuration allows for TLS Dialback.

Required

Not Supported

False

Not Valid Configuration

Warning:
SASL or Dialback must be enabled.

Optional

Not Supported

True

TLS Dialback, TCP Dialback

Based on negotiation choices of the other end point, TCP or TLS Dialback will be accepted.

Optional

Not Supported

False

Not Valid Configuration

Warning:
SASL or Dialback must be enabled.

Not Supported

Not Supported

True

TCP Dialback

TCP Dialback is the only negotiation method available

Not Supported

Not Supported

False

Not Valid Configuration

Warning:
SASL or Dialback must be enabled.