25
1
mirror of https://github.com/processone/ejabberd.git synced 2024-11-24 16:23:40 +01:00

Make it possible to enable/disable TLS compression

This commit is contained in:
Evgeniy Khramtsov 2013-07-17 22:28:23 +10:00
parent 33f09c7a78
commit a2ead99c83
5 changed files with 41 additions and 8 deletions

View File

@ -829,10 +829,10 @@ The available modules, their purpose and the options allowed by each one are:
Options: \texttt{access}, \texttt{certfile}, \texttt{max\_fsm\_queue}, Options: \texttt{access}, \texttt{certfile}, \texttt{max\_fsm\_queue},
\texttt{max\_stanza\_size}, \texttt{shaper}, \texttt{max\_stanza\_size}, \texttt{shaper},
\texttt{starttls}, \texttt{starttls\_required}, \texttt{tls}, \texttt{starttls}, \texttt{starttls\_required}, \texttt{tls},
\texttt{zlib} \texttt{zlib}, \texttt{tls\_compression}
\titem{\texttt{ejabberd\_s2s\_in}} \titem{\texttt{ejabberd\_s2s\_in}}
Handles incoming s2s connections.\\ Handles incoming s2s connections.\\
Options: \texttt{max\_stanza\_size}, \texttt{shaper} Options: \texttt{max\_stanza\_size}, \texttt{shaper}, \texttt{tls\_compression}
\titem{\texttt{ejabberd\_service}} \titem{\texttt{ejabberd\_service}}
Interacts with an \footahref{http://www.ejabberd.im/tutorials-transports}{external component} Interacts with an \footahref{http://www.ejabberd.im/tutorials-transports}{external component}
(as defined in the Jabber Component Protocol (\xepref{0114}).\\ (as defined in the Jabber Component Protocol (\xepref{0114}).\\
@ -845,7 +845,7 @@ The available modules, their purpose and the options allowed by each one are:
\titem{\texttt{ejabberd\_http}} \titem{\texttt{ejabberd\_http}}
Handles incoming HTTP connections.\\ Handles incoming HTTP connections.\\
Options: \texttt{captcha}, \texttt{certfile}, \texttt{default\_host}, \texttt{http\_bind}, \texttt{http\_poll}, Options: \texttt{captcha}, \texttt{certfile}, \texttt{default\_host}, \texttt{http\_bind}, \texttt{http\_poll},
\texttt{request\_handlers}, \texttt{tls}, \texttt{trusted\_proxies}, \texttt{web\_admin}\\ \texttt{request\_handlers}, \texttt{tls}, \texttt{tls\_compression}, \texttt{trusted\_proxies}, \texttt{web\_admin}\\
\end{description} \end{description}
@ -975,6 +975,8 @@ This is a detailed description of each option allowed by the listening modules:
which can be enabled in \ejabberd{} with the option \term{starttls}. which can be enabled in \ejabberd{} with the option \term{starttls}.
If this option is set, you should also set the \option{certfile} option. If this option is set, you should also set the \option{certfile} option.
The option \term{tls} can also be used in \term{ejabberd\_http} to support HTTPS. The option \term{tls} can also be used in \term{ejabberd\_http} to support HTTPS.
\titem{\{tls\_compression, true|false\}}
Whether to enable or disable TLS compression. The default value is \term{true}.
\titem{\{trusted\_proxies, all | [IpString]\}} \ind{options!trusted\_proxies} \titem{\{trusted\_proxies, all | [IpString]\}} \ind{options!trusted\_proxies}
Specify what proxies are trusted when an HTTP request contains the header \term{X-Forwarded-For} Specify what proxies are trusted when an HTTP request contains the header \term{X-Forwarded-For}
You can specify \term{all} to allow all proxies, or specify a list of IPs in string format. You can specify \term{all} to allow all proxies, or specify a list of IPs in string format.
@ -1019,6 +1021,9 @@ There are some additional global options that can be specified in the ejabberd c
\titem{\{s2s\_max\_retry\_delay, Seconds\}} \ind{options!s2s\_max\_retry\_delay} \titem{\{s2s\_max\_retry\_delay, Seconds\}} \ind{options!s2s\_max\_retry\_delay}
The maximum allowed delay for retry to connect after a failed connection attempt. The maximum allowed delay for retry to connect after a failed connection attempt.
Specified in seconds. The default value is 300 seconds (5 minutes). Specified in seconds. The default value is 300 seconds (5 minutes).
\titem{\{s2s\_tls\_compression, true|false\}}
Whether to enable or disable TLS compression for s2s connections.
The default value is \term{true}.
\titem{\{max\_fsm\_queue, Size\}} \titem{\{max\_fsm\_queue, Size\}}
This option specifies the maximum number of elements in the queue of the FSM This option specifies the maximum number of elements in the queue of the FSM
(Finite State Machine). (Finite State Machine).

View File

@ -244,7 +244,11 @@ init([{SockMod, Socket}, Opts]) ->
(_) -> false (_) -> false
end, end,
Opts), Opts),
TLSOpts = [verify_none | TLSOpts1], TLSOpts2 = case proplists:get_bool(tls_compression, Opts) of
false -> [compression_none | TLSOpts1];
true -> TLSOpts1
end,
TLSOpts = [verify_none | TLSOpts2],
IP = peerip(SockMod, Socket), IP = peerip(SockMod, Socket),
%% Check if IP is blacklisted: %% Check if IP is blacklisted:
case is_ip_blacklisted(IP) of case is_ip_blacklisted(IP) of

View File

@ -96,7 +96,11 @@ init({SockMod, Socket}, Opts) ->
(_) -> false (_) -> false
end, end,
Opts), Opts),
TLSOpts = [verify_none | TLSOpts1], TLSOpts2 = case proplists:get_bool(tls_compression, Opts) of
false -> [compression_none | TLSOpts1];
true -> TLSOpts1
end,
TLSOpts = [verify_none | TLSOpts2],
{SockMod1, Socket1} = if TLSEnabled -> {SockMod1, Socket1} = if TLSEnabled ->
inet:setopts(Socket, [{recbuf, 8192}]), inet:setopts(Socket, [{recbuf, 8192}]),
{ok, TLSSocket} = p1_tls:tcp_to_tls(Socket, {ok, TLSSocket} = p1_tls:tcp_to_tls(Socket,

View File

@ -171,12 +171,16 @@ init([{SockMod, Socket}, Opts]) ->
required_trusted -> required_trusted ->
{true, true, true} {true, true, true}
end, end,
TLSOpts = case ejabberd_config:get_local_option( TLSOpts1 = case ejabberd_config:get_local_option(
s2s_certfile, s2s_certfile,
fun iolist_to_binary/1) of fun iolist_to_binary/1) of
undefined -> []; undefined -> [];
CertFile -> [{certfile, CertFile}] CertFile -> [{certfile, CertFile}]
end, end,
TLSOpts = case proplists:get_bool(tls_compression, Opts) of
false -> [compression_none | TLSOpts1];
true -> TLSOpts1
end,
Timer = erlang:start_timer(?S2STIMEOUT, self(), []), Timer = erlang:start_timer(?S2STIMEOUT, self(), []),
{ok, wait_for_stream, {ok, wait_for_stream,
#state{socket = Socket, sockmod = SockMod, #state{socket = Socket, sockmod = SockMod,
@ -319,7 +323,7 @@ wait_for_feature_request({xmlstreamelement, El},
SockMod == gen_tcp -> SockMod == gen_tcp ->
?DEBUG("starttls", []), ?DEBUG("starttls", []),
Socket = StateData#state.socket, Socket = StateData#state.socket,
TLSOpts = case TLSOpts1 = case
ejabberd_config:get_local_option( ejabberd_config:get_local_option(
{domain_certfile, StateData#state.server}, {domain_certfile, StateData#state.server},
fun iolist_to_binary/1) of fun iolist_to_binary/1) of
@ -328,6 +332,14 @@ wait_for_feature_request({xmlstreamelement, El},
[{certfile, CertFile} | lists:keydelete(certfile, 1, [{certfile, CertFile} | lists:keydelete(certfile, 1,
StateData#state.tls_options)] StateData#state.tls_options)]
end, end,
TLSOpts = case ejabberd_config:get_local_option(
{s2s_tls_compression, StateData#state.server},
fun(true) -> true;
(false) -> false
end, true) of
true -> lists:delete(compression_none, TLSOpts1);
false -> [compression_none | TLSOpts1]
end,
TLSSocket = (StateData#state.sockmod):starttls(Socket, TLSSocket = (StateData#state.sockmod):starttls(Socket,
TLSOpts, TLSOpts,
xml:element_to_binary(#xmlel{name xml:element_to_binary(#xmlel{name

View File

@ -183,13 +183,21 @@ init([From, Server, Type]) ->
{true, true} {true, true}
end, end,
UseV10 = TLS, UseV10 = TLS,
TLSOpts = case TLSOpts1 = case
ejabberd_config:get_local_option( ejabberd_config:get_local_option(
s2s_certfile, fun iolist_to_binary/1) s2s_certfile, fun iolist_to_binary/1)
of of
undefined -> [connect]; undefined -> [connect];
CertFile -> [{certfile, CertFile}, connect] CertFile -> [{certfile, CertFile}, connect]
end, end,
TLSOpts = case ejabberd_config:get_local_option(
{s2s_tls_compression, From},
fun(true) -> true;
(false) -> false
end, true) of
false -> [compression_none | TLSOpts1];
true -> TLSOpts1
end,
{New, Verify} = case Type of {New, Verify} = case Type of
{new, Key} -> {Key, false}; {new, Key} -> {Key, false};
{verify, Pid, Key, SID} -> {verify, Pid, Key, SID} ->