Overview of Using TLS and Legacy SSL in Instant Messaging

Instant Messaging uses a startTLS extension to the Transport Layer Security (TLS) 1.0 protocol for client-to-server and server-to-server encrypted communications and for certificate-based authentication between servers. In addition, Instant Messaging supports a legacy implementation of the SSL protocol (version 3.0) for encrypted communications between Instant Messenger and the multiplexor. In the latter case, a certificate is used to validate the identity of the server to which the client connects, but certificates are not used for authentication.

Communication between multiplexor and server is over an unsecured transport. When you use TLS for client-to-server communication, the multiplexor simply passes the bytes from the client to the server and back and does not perform any encryption or decryption.

TLS is fully compatible with SSL and includes all necessary SSL functionality. TLS and SSL function as protocol layers beneath the application layers of XMPP and HTTP.

If you set up the multiplexor to only use legacy SSL, Instant Messenger will only connect to the multiplexor using SSL and will disregard any information returned from the server about TLS availability. However, if you choose to use legacy SSL with the multiplexor, all XMPP/HTTP Gateway instances should be configured to communicate directly with the server and not the multiplexor. The gateway does not support legacy SSL. Third-party clients that connect to the multiplexor over legacy SSL and then request a TLS connection are permitted to do so.

In addition, the multiplexor connects to the server over an unsecured transport. If you want to secure communications from end-to-end (client through multiplexor to server and back), use TLS instead of legacy SSL.

You must use Java 1.5 (minimum) in order to use TLS with the Instant Messaging server.

For information on TLS and StartTLS in XMPP, see “Use of TLS” in RFC 3920, Extensible Messaging and Presence Protocol: Core. For an overview of certificates, SSL, and TLS, see Introduction to Certificates and SSL in Sun Java System Application Server Enterprise Edition 8.2 Administration Guide. The procedures in this section assume you are using the Sun Java^TM System Application Server to generate certificates. If you are using another web container, you will need to refer to that web container's documentation for specific instructions on generating keystores and certificates.