I am developing some pubsub system on top of Node.js and Socket.io. I decided to implement Off-The-Record (OTR) encryption by default for all of data transfers between clients and server(s). Question is do I need to additionally connect classic certificates to be sure even OTR ask queries will be encrypted?
If it will be good idea to connect both of OTR and SSL, what one must cover other? I mean do I need to encrypt traffic firstly with cert and then send it between clients by using OTR for securing it twice or I need to use OTR first and then just encrypt the whole traffic with and possibly without OTR (like handshake requests and else like that)?