2011 Jabber Upgrade 1
Jabber upgrade scheduled for May 7, 2011
On May 7, 2011, during the File Server Outage, IT Services will be upgrading the software underlying the SFU Jabber/XMPP service: jabber.sfu.ca. The goal of the upgrade is to improve reliability of the service and resolve an issue with SSL certificate support on the server. If you use the jabber.sfu.ca server, in some cases the upgrade may require some simple configuration changes to your client software. See Changes below.
Why the upgrade is required
Users of the SFU Jabber server ( XMPP/jabber hostname: jabber.sfu.ca ) have likely noticed that the current server is not sending a correct SSL certificate chain, causing most clients to warn about an invalid certificate each time a person connects to the server. With some client software it is also impossible to suppress the warning, and other clients have ceased connecting to jabber.sfu.ca altogether.
This issue began when the SSL certificate for jabber.sfu.ca was renewed and we discovered that our existing (very old) jabber server software is not capable of sending 2048-bit certificate chains. All of our certificate vendors now require that certificates be based on 2048-bit keys.
Some Jabber/XMPP clients may not connect to jabber.sfu.ca after the upgrade. This is due in part to a lack of standardization in the implementation of the "old SSL method" on both clients and servers. If your Jabber client no longer connects to the jabber.sfu.ca server, a simple change to the account SSL configuration should restore connectivity.
Deprecated old settings
The old jabber.sfu.ca server was configured to use a non-standard, deprecated method of making a secure connection to the server. In particular, these settings were required by the jabber.sfu.ca server prior to the upgrade on May 7, 2011
- connection port: 5223
- Force "old-style" SSL method
The second item used various similar phrases that meant essentially the same thing: use an older SSL standard not supported in the official Jabber/XMPP specification. In the same area of the client software configuration, there may have also been a check-box with a phrase similar to "Ping old-style SSL port". If your client no longer works after the upgrade, use the suggested new settings below.
In general we suggest upgrading your settings even if your current client continues to work as the "old-style SSL" method is considered deprecated in the XMPP community and there is no guarantee that "old-style SSL" will be supported in future versions.
Suggested new settings after the upgrade on May 7, 2011
- Port: 5222 . This is the XMPP standard for non-encrypted and SSL/TLS connections and is the default in most clients
- SSL: Require SSL/TLS . While jabber.sfu.ca will accept non-encrypted connections, we do not recommend the use of the service without encryption: doing so will send your SFU Computing Account ID and password in the clear over the network. Use Require SSL/TLS (or a similarly-named setting in your client) unless you know of a good reason not to.
- "Old style SSL": Disable any reference to "old-style" SSL.