Last week, I refactored TLS code in Gajim to match the new architecture. Debugging XMPP over TLS on ports 5223 and 5222 was not difficult thanks to well-designed wrappers for Python's standard library SSL and PyOpenSSL (by dkirov, I believe). Now I'm focusing on securing HTTP connections, which can be non-persistent and more prone to errors. It is crucial to handle various TCP and SSL errors effectively.
Dealing with persistent connections is challenging because Connection Manager implementations can vary. The other end could be an HTTP server, a proxy, or a port forwarding HTTP server. This requires a robust implementation of HTTP connections and separating HTTP from XMPP stream.
I also fixed a bug discovered by Asterix - authentication to ejabberd hangs when it doesn't immediately follow the init response. You can find more information here. I believe this is an issue with ejabberd, as the traffic scenario aligns with the XEP and it works fine with Openfire. For now, I have disabled sending empty bodies until an authentication module is added. This may result in an inactivity timeout if the delay is too long. I will test with Tigase and Punjab once I install them.