Support for STARTTLS and SASL in s2s Connections

Why Server-to-server Encryption?

As shown in the following figure, messages transmitted to and from other Jabber servers can be intercepted in case client connections (c2s) or connections to other Jabber servers (s2s) are unencrypted. In this situation, it is fairly easy for a cracker or script-kiddie to intercept your users' conversations.

encryption diagram: comparison of different situations

Encryption of both client-to-server (c2s) connections and server-to-server (s2s) connections, on the contrary, do never allow malicious people to read your users' conversations. As can be seen in the third figure, spyholes are indeed gone.

Available Security Methods

XMPP-Core provides encryption and authentication mechanisms:

  • TLS is used to secure the stream from tampering and eavesdropping.
  • SASL is used to authenticate a stream.

A XMPP compliant server implementation MUST support both TLS and SASL for inter-domain communications. For historical reasons, a compliant implementation SHOULD also support Server Dialback.

Currently Supported by ejabberd

Since ejabberd 1.0.0, connections between servers can user STARTTLS encryption. Two authentication methods are available: Dialback and SASL.


  1. Update to ejabberd 1.0.0 or newer.
  2. Add these lines to ejabberd's configuration file:
    {s2s_use_starttls, true}. 
    {s2s_certfile, "/path/to/ssl.pem"}.
  3. Restart ejabberd.
  4. From now on, ejabberd will try to use encryption when connecting to another Jabber server. If the other server does not support encryption, ejabberd will fall back to an unencrypted connection.


The following table lists the results of compatibility testing between ejabberd and other Jabber server implementations. When public Jabber servers are available, they are included so that you can try it yourself. Feel free to add a comment to this page, when you have tested against a not tested server.

Server STARTTLS and Dialback STARTTLS and SASL
Antepo OPN not tested not tested
ejabberd works (, not tested
Jabber XCP not tested not tested
jabberd14 works ( unsupported (on the works)
jabberd2 works ( unsupported
Wildfire not tested not tested
Merak not tested unsupported
Sun Java System Instant Messaging not tested not tested
SoapBox Server not tested not tested
TIMP.NET not tested unsupported
OpenIM unsupported not tested
psycMUVE unsupported unsupported
WPJabber unsupported unsupported not tested unsupported

Verify if it Works

You can verify if the encryption of server-to-server (s2s) connections is working correctly on your server by performing next steps:

  1. Create a new file in the ejabberd source directory with the name checktls.erl and the content:
    check() ->
            check(mnesia:dirty_first(s2s), {0, {plain, 0, []}, {starttls, 0, []}, {unknown, 0, []}}).
    check('$end_of_table', Res) ->
    check(A, {Total, {plain, PN, PL}, {starttls, SN, SL}, {unknown, UN, UL}}) ->
            [C] = mnesia:dirty_read(s2s, A),
            {_From, To} = element(2, C),
            {links, E} = erlang:process_info(element(3, C), links),
            Res = case length(E) of
                    1 -> {Total+1, {plain, PN+1, [To|PL]}, {starttls, SN, SL}, {unknown, UN, UL}};
                    2 -> {Total+1, {plain, PN, PL}, {starttls, SN+1, [To|SL]}, {unknown, UN, UL}};
                    _ -> {Total+1, {plain, PN, PL}, {starttls, SN, SL}, {unknown, UN+1, [To|UL]}}
            check(mnesia:dirty_next(s2s, A), Res).
  2. Recompile ejabberd and install.
  3. Open an Erlang console attached to the ejabberd node, or start ejabberd without -detached and similar options.
  4. Login to your server with any client, and discover STARTTLS-enabled Jabber servers.
  5. Finally, return to the Erlang console and check what servers are currently connected using each connection type:
    (ejabberd2@testing)1> checktls:check().

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

I get an error running checkstls

I get the following error running this function:

Error in process <0.542.0> on node 'ejabberd@morden' with exit value: {{case_clause,1},
   {erl_eval,do_apply,5}, {shell,exprs,6}, {shell,eval_loop,3}]}

** exited: {{case_clause,1},
             {shell,eval_loop,3}]} **

Is this due to having an incompatible version of ejabberd? I'm running version 1.1.1.

Small bug, try the new version

trejkaz wrote:

Is this due to having an incompatible version of ejabberd? I'm running version 1.1.1.

No, it means at least a server is not yet connected. Try the new version, it includes a new result 'unknown' for servers that are not yet known to be plain or starttls.

Syndicate content