To start the use of XTLS, the initiator sends an IQ-set containing a <start/> element qualified by the 'urn:xmpp:tmp:xtls' namespace (see Protocol Namespaces regarding issuance of one or more permanent namespaces).

(Note: This is the functional equivalent of the <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/> command for direct XML streams as specified in RFC 3920.)

If the responder supports XTLS and agrees to start the use of XTLS, it returns an IQ-result containing a <proceed/> element qualified by the 'urn:xmpp:tmp:xtls' namespace (see Protocol Namespaces regarding issuance of one or more permanent namespaces).

(Note: This is the functional equivalent of the <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/> command for direct XML streams as specified in RFC 3920.)

If the responder does not support XTLS, in accordance with core XMPP semantics it MUST return a <service-unavailable/> error.

If the responder supports XTLS but does not wish to proceed with the use of XTLS, it MUST return a <not-acceptable/> error.

It is possible that both parties will attempt to start the use of XTLS at the same time For example, the applications might automatically open an XTLS tunnel based on presence information., in which case one party might receive an XTLS start stanza from the other party after it has sent such an XTLS start stanza but before receiving a response. In this case, one of the initiation requests shall be considered to have higher priority than the other, and the party that receives the lower priority initiation request shall return a <conflict/> stanza error in response to the lower priority request. The higher priority request MUST be considered the request that is generated by the party whose JID is sorted before the other party when the JIDs of both parties are sorted using "i;octet" collation as specified in Section 9.3 of RFC 4790 RFC 4790: Internet Application Protocol Collation Registry <http://tools.ietf.org/html/rfc4790>..

In this example, juliet@capulet.com/balcony is sorted before romeo@montague.net/orchard and therefore her XTLS start stanza has a higher priority. Therefore she would return a conflict error to Romeo if they both send an XTLS start stanza at the same time.

C2C Authentication Using TLS (XEP-0250) XEP-0250: C2C Authentication Using TLS <https://xmpp.org/extensions/xep-0250.html>. defines an IQ stanza to determine which TLS method shall be used for client-to-client STARTTLS as described in End-to-End XML Streams (XEP-0246) XEP-0246: End-to-End XML Streams <https://xmpp.org/extensions/xep-0246.html>.. The initiator MAY exchange the XEP-0250 offers first, but MAY instead include the offers in the XTLS <start/> stanza to save a round trip. A client supporting XTLS and XEP-0250 MUST support offer exchange in the XTLS <start/> stanza.

If the responder supports XTLS, agrees to start the use of XTLS, and can verify the X.509 fingerprint, it returns an IQ-result containing a <proceed/> element with its offer.

If the initiator detects that a TLS handshake will fail based on the received offers (e.g. the peer only supports X.509 certificates and the client is unable to verify the certificate), the initiator MUST close the tunnel immediately (see Closing the XTLS Tunnel).

Before sending encrypted data, the parties MUST perform a TLS handshake to establish the the XTLS tunnel. The TLS library sends the handshake and all encrypted data in-band as Base64-encoded payload of a <data> element qualified by the 'urn:xmpp:tmp:xtls' namespace (see Protocol Namespaces regarding issuance of one or more permanent namespaces). (This is similar to how data is sent in-band using In-Band Bytestreams (XEP-0047) XEP-0047: In-Band Bytestreams <https://xmpp.org/extensions/xep-0047.html>., but in a dedicated namespace to work around the potential blockage of IBB exchanges by server administrators.) During the handshake, the responder (which functions as the TLS server) SHOULD send a CertificateRequest if X.509 certificates are used, since mutual authentication is desired. The first stanza MUST include a 'method' attribute defining the TLS method to be used. Possible values are 'x509', 'openpgp', and 'srp'. While this information is also included in the TLS handshake message itself, it can be useful for the recipient to know this before sending the data to the TLS library in use, e.g. when SRP is used the client might need to provide the password to the TLS library before decoding any data.

Note: It is possible that XTLS stanzas will not respect TLS message boundaries; therefore the number of IQ stanzas depends on the TLS implementation.

The responder then acknowledges the stanza and, if the stream contains the complete ClientHello message, it continues with the TLS handshake. Otherwise it will wait for more messages from the initiator.

After the TLS handshake has been completed, the parties exchange encrypted data over the tunnel. Because the routing information is already present in the IQ stanzas used by XTLS, it is OPTIONAL for the stanzas encapsulated in the XTLS stream to include routing information (i.e., the 'from' and 'to' attributes). In that case, the entity receiving the data MUST supply the 'from' and 'to' addresses of the IQ stanza that contains the encrypted data.

The sender's client would strip off the routing information.

This message is then encrypted and sent in one or more stanzas over the XTLS tunnel.

Either party can close the XTLS tunnel; this is done by sending an IQ-set containing an empty <close/> element qualified by the 'urn:xmpp:tmp:xtls' namespace (see Protocol Namespaces regarding issuance of one or more permanent namespaces). However, if the entities have a mutual presence subscription then it is RECOMMENDED for the entities to maintain the tunnel until one entity becomes unavailable. Keeping the XTLS tunnel open does not require significant resources and prevents the need for a new TLS handshake.

The other party then acknowledges that the tunnel is closed by sending an IQ-result containing an empty <closed/> element qualified by the 'urn:xmpp:tmp:xtls' namespace (see Protocol Namespaces regarding issuance of one or more permanent namespaces).

If the tunnel is unknown to the receiving party, it MUST return an <item-not-found/> error.

If an error is detected, the tunnel MUST be considered closed and invalid.

An implementation MUST at a minimum support the TLS_RSA_WITH_3DES_EDE_CBC_SHA and TLS_DH_RSA_WITH_AES_256_CBC_SHA ciphers. An implementation MAY support other ciphers as well.

As noted, XTLS can be used between XMPP clients, between an XMPP client and a remote XMPP service (i.e., a service with which a client does not have a direct XML stream), or between remote XMPP services. Therefore, a party to an XTLS tunnel will present either a client certificate or a server certificate as appropriate. Such certificates MUST be generated and validated in accordance with the certificate guidelines guidelines provided in rfc3920bis RFC 3920: Extensible Messaging and Presence Protocol (XMPP): Core <http://tools.ietf.org/html/draft-ietf-saintandre-rfc3920bis>..

A future version of this specification might provide additional guidelines regarding certificate validation in the context of client-to-client encryption.

The XTLS start stanzas and proceed stanzas are not encrypted or signed; the same is true of service discovery exchanges and entity capabilities data. Therefore it is possible for an attacker to intercept these stanzas and modify them (e.g., by spuriously returning a <service-unavailable/> error), thus convincing the initiator that the responder does not support XTLS and therefore denying the parties an opportunity to use XTLS.

A future version of this specification might address this problem.

Until this proposal is accepted for publication by the XSF, its associated namespace shall be "urn:xmpp:tmp:xtls". Upon publication as a XEP, the XMPP Registrar The XMPP Registrar maintains a list of reserved protocol namespaces as well as registries of parameters used in the context of XMPP extension protocols approved by the XMPP Standards Foundation. For further information, see <https://xmpp.org/registrar/>. shall issue an initial namespace in accordance with the process defined in Section 4 of XMPP Registrar Function (XEP-0053) XEP-0053: XMPP Registrar Function <https://xmpp.org/extensions/xep-0053.html>.. The namespace "urn:xmpp:xtls:0" is requested and is thought to be unique per the XMPP Registrar's requirements.