Package: irssi-plugin-xmpp Version: 0.52+git20140102-1 Severity: normal For XMPP servers that do not offer TLS-wrapped-XMPP on port 5223, the usual standard is to offer STARTTLS (enabling TLS at the start of the XMPP exchange). In fact, there was a strong consensus to do ensure encrypted XMPP by many contributors:
https://github.com/stpeter/manifesto irssi's XMPP plugin should also default to requiring STARTTLS in case TLS-wrapped-XMPP is not available. This patch should require STARTTLS, according to the loudmouth documenation. note that sslstrip tools for XMPP are freely available: http://www.beneaththewaves.net/Software/XMPPPeek.html This patch should defend against these sort of changes. --dkg -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.14-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages irssi-plugin-xmpp depends on: ii irssi 0.8.15-5+b1 ii libc6 2.19-4 ii libglib2.0-0 2.40.0-3 ii libloudmouth1-0 1.4.3-12 irssi-plugin-xmpp recommends no packages. irssi-plugin-xmpp suggests no packages. -- debconf-show failed
--- a/src/core/xmpp-servers.c +++ b/src/core/xmpp-servers.c @@ -423,7 +423,7 @@ ssl = lm_ssl_new(NULL, lm_ssl_cb, user_data, NULL); lm_connection_set_ssl(lmconn, ssl); if (use_starttls) - lm_ssl_use_starttls(ssl, TRUE, FALSE); + lm_ssl_use_starttls(ssl, TRUE, TRUE); lm_ssl_unref(ssl); return TRUE; }
