mirror of
https://github.com/processone/ejabberd.git
synced 2024-11-24 16:23:40 +01:00
Make it possible to enable/disable TLS compression
This commit is contained in:
parent
33f09c7a78
commit
a2ead99c83
@ -829,10 +829,10 @@ The available modules, their purpose and the options allowed by each one are:
|
|||||||
Options: \texttt{access}, \texttt{certfile}, \texttt{max\_fsm\_queue},
|
Options: \texttt{access}, \texttt{certfile}, \texttt{max\_fsm\_queue},
|
||||||
\texttt{max\_stanza\_size}, \texttt{shaper},
|
\texttt{max\_stanza\_size}, \texttt{shaper},
|
||||||
\texttt{starttls}, \texttt{starttls\_required}, \texttt{tls},
|
\texttt{starttls}, \texttt{starttls\_required}, \texttt{tls},
|
||||||
\texttt{zlib}
|
\texttt{zlib}, \texttt{tls\_compression}
|
||||||
\titem{\texttt{ejabberd\_s2s\_in}}
|
\titem{\texttt{ejabberd\_s2s\_in}}
|
||||||
Handles incoming s2s connections.\\
|
Handles incoming s2s connections.\\
|
||||||
Options: \texttt{max\_stanza\_size}, \texttt{shaper}
|
Options: \texttt{max\_stanza\_size}, \texttt{shaper}, \texttt{tls\_compression}
|
||||||
\titem{\texttt{ejabberd\_service}}
|
\titem{\texttt{ejabberd\_service}}
|
||||||
Interacts with an \footahref{http://www.ejabberd.im/tutorials-transports}{external component}
|
Interacts with an \footahref{http://www.ejabberd.im/tutorials-transports}{external component}
|
||||||
(as defined in the Jabber Component Protocol (\xepref{0114}).\\
|
(as defined in the Jabber Component Protocol (\xepref{0114}).\\
|
||||||
@ -845,7 +845,7 @@ The available modules, their purpose and the options allowed by each one are:
|
|||||||
\titem{\texttt{ejabberd\_http}}
|
\titem{\texttt{ejabberd\_http}}
|
||||||
Handles incoming HTTP connections.\\
|
Handles incoming HTTP connections.\\
|
||||||
Options: \texttt{captcha}, \texttt{certfile}, \texttt{default\_host}, \texttt{http\_bind}, \texttt{http\_poll},
|
Options: \texttt{captcha}, \texttt{certfile}, \texttt{default\_host}, \texttt{http\_bind}, \texttt{http\_poll},
|
||||||
\texttt{request\_handlers}, \texttt{tls}, \texttt{trusted\_proxies}, \texttt{web\_admin}\\
|
\texttt{request\_handlers}, \texttt{tls}, \texttt{tls\_compression}, \texttt{trusted\_proxies}, \texttt{web\_admin}\\
|
||||||
\end{description}
|
\end{description}
|
||||||
|
|
||||||
|
|
||||||
@ -975,6 +975,8 @@ This is a detailed description of each option allowed by the listening modules:
|
|||||||
which can be enabled in \ejabberd{} with the option \term{starttls}.
|
which can be enabled in \ejabberd{} with the option \term{starttls}.
|
||||||
If this option is set, you should also set the \option{certfile} option.
|
If this option is set, you should also set the \option{certfile} option.
|
||||||
The option \term{tls} can also be used in \term{ejabberd\_http} to support HTTPS.
|
The option \term{tls} can also be used in \term{ejabberd\_http} to support HTTPS.
|
||||||
|
\titem{\{tls\_compression, true|false\}}
|
||||||
|
Whether to enable or disable TLS compression. The default value is \term{true}.
|
||||||
\titem{\{trusted\_proxies, all | [IpString]\}} \ind{options!trusted\_proxies}
|
\titem{\{trusted\_proxies, all | [IpString]\}} \ind{options!trusted\_proxies}
|
||||||
Specify what proxies are trusted when an HTTP request contains the header \term{X-Forwarded-For}
|
Specify what proxies are trusted when an HTTP request contains the header \term{X-Forwarded-For}
|
||||||
You can specify \term{all} to allow all proxies, or specify a list of IPs in string format.
|
You can specify \term{all} to allow all proxies, or specify a list of IPs in string format.
|
||||||
@ -1019,6 +1021,9 @@ There are some additional global options that can be specified in the ejabberd c
|
|||||||
\titem{\{s2s\_max\_retry\_delay, Seconds\}} \ind{options!s2s\_max\_retry\_delay}
|
\titem{\{s2s\_max\_retry\_delay, Seconds\}} \ind{options!s2s\_max\_retry\_delay}
|
||||||
The maximum allowed delay for retry to connect after a failed connection attempt.
|
The maximum allowed delay for retry to connect after a failed connection attempt.
|
||||||
Specified in seconds. The default value is 300 seconds (5 minutes).
|
Specified in seconds. The default value is 300 seconds (5 minutes).
|
||||||
|
\titem{\{s2s\_tls\_compression, true|false\}}
|
||||||
|
Whether to enable or disable TLS compression for s2s connections.
|
||||||
|
The default value is \term{true}.
|
||||||
\titem{\{max\_fsm\_queue, Size\}}
|
\titem{\{max\_fsm\_queue, Size\}}
|
||||||
This option specifies the maximum number of elements in the queue of the FSM
|
This option specifies the maximum number of elements in the queue of the FSM
|
||||||
(Finite State Machine).
|
(Finite State Machine).
|
||||||
|
@ -244,7 +244,11 @@ init([{SockMod, Socket}, Opts]) ->
|
|||||||
(_) -> false
|
(_) -> false
|
||||||
end,
|
end,
|
||||||
Opts),
|
Opts),
|
||||||
TLSOpts = [verify_none | TLSOpts1],
|
TLSOpts2 = case proplists:get_bool(tls_compression, Opts) of
|
||||||
|
false -> [compression_none | TLSOpts1];
|
||||||
|
true -> TLSOpts1
|
||||||
|
end,
|
||||||
|
TLSOpts = [verify_none | TLSOpts2],
|
||||||
IP = peerip(SockMod, Socket),
|
IP = peerip(SockMod, Socket),
|
||||||
%% Check if IP is blacklisted:
|
%% Check if IP is blacklisted:
|
||||||
case is_ip_blacklisted(IP) of
|
case is_ip_blacklisted(IP) of
|
||||||
|
@ -96,7 +96,11 @@ init({SockMod, Socket}, Opts) ->
|
|||||||
(_) -> false
|
(_) -> false
|
||||||
end,
|
end,
|
||||||
Opts),
|
Opts),
|
||||||
TLSOpts = [verify_none | TLSOpts1],
|
TLSOpts2 = case proplists:get_bool(tls_compression, Opts) of
|
||||||
|
false -> [compression_none | TLSOpts1];
|
||||||
|
true -> TLSOpts1
|
||||||
|
end,
|
||||||
|
TLSOpts = [verify_none | TLSOpts2],
|
||||||
{SockMod1, Socket1} = if TLSEnabled ->
|
{SockMod1, Socket1} = if TLSEnabled ->
|
||||||
inet:setopts(Socket, [{recbuf, 8192}]),
|
inet:setopts(Socket, [{recbuf, 8192}]),
|
||||||
{ok, TLSSocket} = p1_tls:tcp_to_tls(Socket,
|
{ok, TLSSocket} = p1_tls:tcp_to_tls(Socket,
|
||||||
|
@ -171,12 +171,16 @@ init([{SockMod, Socket}, Opts]) ->
|
|||||||
required_trusted ->
|
required_trusted ->
|
||||||
{true, true, true}
|
{true, true, true}
|
||||||
end,
|
end,
|
||||||
TLSOpts = case ejabberd_config:get_local_option(
|
TLSOpts1 = case ejabberd_config:get_local_option(
|
||||||
s2s_certfile,
|
s2s_certfile,
|
||||||
fun iolist_to_binary/1) of
|
fun iolist_to_binary/1) of
|
||||||
undefined -> [];
|
undefined -> [];
|
||||||
CertFile -> [{certfile, CertFile}]
|
CertFile -> [{certfile, CertFile}]
|
||||||
end,
|
end,
|
||||||
|
TLSOpts = case proplists:get_bool(tls_compression, Opts) of
|
||||||
|
false -> [compression_none | TLSOpts1];
|
||||||
|
true -> TLSOpts1
|
||||||
|
end,
|
||||||
Timer = erlang:start_timer(?S2STIMEOUT, self(), []),
|
Timer = erlang:start_timer(?S2STIMEOUT, self(), []),
|
||||||
{ok, wait_for_stream,
|
{ok, wait_for_stream,
|
||||||
#state{socket = Socket, sockmod = SockMod,
|
#state{socket = Socket, sockmod = SockMod,
|
||||||
@ -319,7 +323,7 @@ wait_for_feature_request({xmlstreamelement, El},
|
|||||||
SockMod == gen_tcp ->
|
SockMod == gen_tcp ->
|
||||||
?DEBUG("starttls", []),
|
?DEBUG("starttls", []),
|
||||||
Socket = StateData#state.socket,
|
Socket = StateData#state.socket,
|
||||||
TLSOpts = case
|
TLSOpts1 = case
|
||||||
ejabberd_config:get_local_option(
|
ejabberd_config:get_local_option(
|
||||||
{domain_certfile, StateData#state.server},
|
{domain_certfile, StateData#state.server},
|
||||||
fun iolist_to_binary/1) of
|
fun iolist_to_binary/1) of
|
||||||
@ -328,6 +332,14 @@ wait_for_feature_request({xmlstreamelement, El},
|
|||||||
[{certfile, CertFile} | lists:keydelete(certfile, 1,
|
[{certfile, CertFile} | lists:keydelete(certfile, 1,
|
||||||
StateData#state.tls_options)]
|
StateData#state.tls_options)]
|
||||||
end,
|
end,
|
||||||
|
TLSOpts = case ejabberd_config:get_local_option(
|
||||||
|
{s2s_tls_compression, StateData#state.server},
|
||||||
|
fun(true) -> true;
|
||||||
|
(false) -> false
|
||||||
|
end, true) of
|
||||||
|
true -> lists:delete(compression_none, TLSOpts1);
|
||||||
|
false -> [compression_none | TLSOpts1]
|
||||||
|
end,
|
||||||
TLSSocket = (StateData#state.sockmod):starttls(Socket,
|
TLSSocket = (StateData#state.sockmod):starttls(Socket,
|
||||||
TLSOpts,
|
TLSOpts,
|
||||||
xml:element_to_binary(#xmlel{name
|
xml:element_to_binary(#xmlel{name
|
||||||
|
@ -183,13 +183,21 @@ init([From, Server, Type]) ->
|
|||||||
{true, true}
|
{true, true}
|
||||||
end,
|
end,
|
||||||
UseV10 = TLS,
|
UseV10 = TLS,
|
||||||
TLSOpts = case
|
TLSOpts1 = case
|
||||||
ejabberd_config:get_local_option(
|
ejabberd_config:get_local_option(
|
||||||
s2s_certfile, fun iolist_to_binary/1)
|
s2s_certfile, fun iolist_to_binary/1)
|
||||||
of
|
of
|
||||||
undefined -> [connect];
|
undefined -> [connect];
|
||||||
CertFile -> [{certfile, CertFile}, connect]
|
CertFile -> [{certfile, CertFile}, connect]
|
||||||
end,
|
end,
|
||||||
|
TLSOpts = case ejabberd_config:get_local_option(
|
||||||
|
{s2s_tls_compression, From},
|
||||||
|
fun(true) -> true;
|
||||||
|
(false) -> false
|
||||||
|
end, true) of
|
||||||
|
false -> [compression_none | TLSOpts1];
|
||||||
|
true -> TLSOpts1
|
||||||
|
end,
|
||||||
{New, Verify} = case Type of
|
{New, Verify} = case Type of
|
||||||
{new, Key} -> {Key, false};
|
{new, Key} -> {Key, false};
|
||||||
{verify, Pid, Key, SID} ->
|
{verify, Pid, Key, SID} ->
|
||||||
|
Loading…
Reference in New Issue
Block a user