Add check box to force SSL globally/per account
The only way in the current XMPP spec to establish a secure connection with an XMPP server is StartTLS.
Unfortunately, there is no way for the server to enforce a policy of mandatory TLS connections, because a MiTM can easily alter the communication between client and the server that advertises this. So, secure connections in XMPP rely entirely on the client settings. A setting of 'try encryption, but fallback to cleartext' is not advisable, because it is easily thwarted by a MiTM.
This setting for StartTLS has been removed from Thunderbird for this reason, because of numerous cases where this attack has come to light in the real world.
As far as I can tell from my tests, the setting in Gajim is exactly this: 'try starttls, fallback to cleartext'. This is particularly problematic because there is no way to configure Gajim to require encryption. The result is that it is currently impossible to ensure a secure XMPP connection in Gajim.
Proposed solution
(1) The default setting for XMPP starttls should be 'require encryption'. The authentication stanza should NOT be sent before TLS has been negotiated.
(2) If you must, add the option to totally disable XMPP connection encryption. At most, there should be two options: "encryption required" and "encryption disabled" -- again, because "try encryption" is so easily thwarted as to be effectively meaningless.
- should be globally enforced and on by default - 2) could be on a per account basis where at best, you can go and disable TLS when a specific account is known to only be available in an insecure manner.