mirror of
https://github.com/processone/ejabberd.git
synced 2024-11-22 16:20:52 +01:00
Add option to require encryption in S2S connections (EJAB-495)
This commit is contained in:
parent
54557cb867
commit
befb4fc7ea
@ -945,9 +945,10 @@ This is a detailed description of each option allowed by the listening modules:
|
||||
|
||||
There are some additional global options that can be specified in the ejabberd configuration file (outside \term{listen}):
|
||||
\begin{description}
|
||||
\titem{\{s2s\_use\_starttls, true|false\}}
|
||||
\ind{options!s2s\_use\_starttls}\ind{STARTTLS}This option defines whether to
|
||||
use STARTTLS for s2s connections.
|
||||
\titem{\{s2s\_use\_starttls, false|optional|required\}}
|
||||
\ind{options!s2s\_use\_starttls}\ind{STARTTLS}This option defines if
|
||||
s2s connections can optionally use STARTTLS encryption, or if it must be required.
|
||||
The default value is to not use STARTTLS: \term{false}.
|
||||
\titem{\{s2s\_certfile, Path\}} \ind{options!s2s\_certificate}Full path to a
|
||||
file containing a SSL certificate.
|
||||
\titem{\{domain\_certfile, Domain, Path\}} \ind{options!domain\_certfile}
|
||||
@ -1046,7 +1047,7 @@ However, the c2s and s2s connections to the domain \term{example.com} use the fi
|
||||
]}
|
||||
]
|
||||
}.
|
||||
{s2s_use_starttls, true}.
|
||||
{s2s_use_starttls, optional}.
|
||||
{s2s_certfile, "/etc/ejabberd/server.pem"}.
|
||||
{domain_certfile, "example.com", "/etc/ejabberd/example_com.pem"}.
|
||||
{outgoing_s2s_options, [ipv4, ipv6], 10000}.
|
||||
@ -1058,7 +1059,7 @@ In this example, the following configuration defines that:
|
||||
on port 5223 (SSL, IP 192.168.0.1 and fdca:8ab6:a243:75ef::1) and denied
|
||||
for the user called `\term{bad}'.
|
||||
\item s2s connections are listened for on port 5269 (all IPv4 addresses)
|
||||
with STARTTLS for secured traffic enabled.
|
||||
with STARTTLS for secured traffic required.
|
||||
Incoming and outgoing connections of remote XMPP servers are denied,
|
||||
only two servers can connect: "jabber.example.org" and "example.com".
|
||||
\item Port 5280 is serving the Web Admin and the HTTP Polling service
|
||||
@ -1139,7 +1140,7 @@ In this example, the following configuration defines that:
|
||||
{service_check_from, false}]}
|
||||
]
|
||||
}.
|
||||
{s2s_use_starttls, true}.
|
||||
{s2s_use_starttls, required}.
|
||||
{s2s_certfile, "/path/to/ssl.pem"}.
|
||||
{s2s_default_policy, deny}.
|
||||
{{s2s_host,"jabber.example.org"}, allow}.
|
||||
|
@ -180,10 +180,10 @@
|
||||
|
||||
%%
|
||||
%% s2s_use_starttls: Enable STARTTLS + Dialback for S2S connections.
|
||||
%% Allowed values are: true or false.
|
||||
%% Allowed values are: false optional required
|
||||
%% You must specify a certificate file.
|
||||
%%
|
||||
%%{s2s_use_starttls, true}.
|
||||
%%{s2s_use_starttls, optional}.
|
||||
|
||||
%%
|
||||
%% s2s_certfile: Specify a certificate file.
|
||||
|
@ -146,11 +146,13 @@ stop_connection(Pid, Timeout) ->
|
||||
init([From, Server, Type]) ->
|
||||
process_flag(trap_exit, true),
|
||||
?DEBUG("started: ~p", [{From, Server, Type}]),
|
||||
TLS = case ejabberd_config:get_local_option(s2s_use_starttls) of
|
||||
undefined ->
|
||||
false;
|
||||
UseStartTLS ->
|
||||
UseStartTLS
|
||||
{TLS, TLSRequired} = case ejabberd_config:get_local_option(s2s_use_starttls) of
|
||||
UseTls when (UseTls==undefined) or (UseTls==false) ->
|
||||
{false, false};
|
||||
UseTls when (UseTls==true) or (UseTls==optional) ->
|
||||
{true, false};
|
||||
required ->
|
||||
{true, true}
|
||||
end,
|
||||
UseV10 = TLS,
|
||||
TLSOpts = case ejabberd_config:get_local_option(s2s_certfile) of
|
||||
@ -169,6 +171,7 @@ init([From, Server, Type]) ->
|
||||
Timer = erlang:start_timer(?S2STIMEOUT, self(), []),
|
||||
{ok, open_socket, #state{use_v10 = UseV10,
|
||||
tls = TLS,
|
||||
tls_required = TLSRequired,
|
||||
tls_options = TLSOpts,
|
||||
queue = queue:new(),
|
||||
myname = From,
|
||||
@ -368,8 +371,8 @@ wait_for_validation({xmlstreamelement, El}, StateData) ->
|
||||
case is_verify_res(El) of
|
||||
{result, To, From, Id, Type} ->
|
||||
?DEBUG("recv result: ~p", [{From, To, Id, Type}]),
|
||||
case Type of
|
||||
"valid" ->
|
||||
case {Type, StateData#state.tls_enabled, StateData#state.tls_required} of
|
||||
{"valid", Enabled, Required} when (Enabled==true) or (Required==false) ->
|
||||
send_queue(StateData, StateData#state.queue),
|
||||
?INFO_MSG("Connection established: ~s -> ~s with TLS=~p",
|
||||
[StateData#state.myname, StateData#state.server, StateData#state.tls_enabled]),
|
||||
@ -378,6 +381,11 @@ wait_for_validation({xmlstreamelement, El}, StateData) ->
|
||||
StateData#state.server]),
|
||||
{next_state, stream_established,
|
||||
StateData#state{queue = queue:new()}};
|
||||
{"valid", Enabled, Required} when (Enabled==false) and (Required==true) ->
|
||||
%% TODO: bounce packets
|
||||
?INFO_MSG("Closing s2s connection: ~s -> ~s (TLS is required but unavailable)",
|
||||
[StateData#state.myname, StateData#state.server]),
|
||||
{stop, normal, StateData};
|
||||
_ ->
|
||||
%% TODO: bounce packets
|
||||
?INFO_MSG("Closing s2s connection: ~s -> ~s (invalid dialback key)",
|
||||
|
Loading…
Reference in New Issue
Block a user