25
1
mirror of https://github.com/processone/ejabberd.git synced 2024-11-24 16:23:40 +01:00

Add option to require encryption in S2S connections (EJAB-495)

This commit is contained in:
Badlop 2010-12-08 20:02:31 +01:00
parent b83dd9f954
commit eb884c80d0
3 changed files with 24 additions and 15 deletions

View File

@ -962,9 +962,10 @@ This is a detailed description of each option allowed by the listening modules:
There are some additional global options that can be specified in the ejabberd configuration file (outside \term{listen}): There are some additional global options that can be specified in the ejabberd configuration file (outside \term{listen}):
\begin{description} \begin{description}
\titem{\{s2s\_use\_starttls, true|false\}} \titem{\{s2s\_use\_starttls, false|optional|required\}}
\ind{options!s2s\_use\_starttls}\ind{STARTTLS}This option defines whether to \ind{options!s2s\_use\_starttls}\ind{STARTTLS}This option defines if
use STARTTLS for s2s connections. s2s connections can optionally use STARTTLS encryption, or if it must be required.
The default value is to not use STARTTLS: \term{false}.
\titem{\{s2s\_certfile, Path\}} \ind{options!s2s\_certificate}Full path to a \titem{\{s2s\_certfile, Path\}} \ind{options!s2s\_certificate}Full path to a
file containing a SSL certificate. file containing a SSL certificate.
\titem{\{domain\_certfile, Domain, Path\}} \ind{options!domain\_certfile} \titem{\{domain\_certfile, Domain, Path\}} \ind{options!domain\_certfile}
@ -1057,7 +1058,7 @@ However, the c2s and s2s connections to the domain \term{example.com} use the fi
]} ]}
] ]
}. }.
{s2s_use_starttls, true}. {s2s_use_starttls, optional}.
{s2s_certfile, "/etc/ejabberd/server.pem"}. {s2s_certfile, "/etc/ejabberd/server.pem"}.
{domain_certfile, "example.com", "/etc/ejabberd/example_com.pem"}. {domain_certfile, "example.com", "/etc/ejabberd/example_com.pem"}.
{outgoing_s2s_options, [ipv4, ipv6], 10000}. {outgoing_s2s_options, [ipv4, ipv6], 10000}.
@ -1069,7 +1070,7 @@ In this example, the following configuration defines that:
on port 5223 (SSL, IP 192.168.0.1 and fdca:8ab6:a243:75ef::1) and denied on port 5223 (SSL, IP 192.168.0.1 and fdca:8ab6:a243:75ef::1) and denied
for the user called `\term{bad}'. for the user called `\term{bad}'.
\item s2s connections are listened for on port 5269 (all IPv4 addresses) \item s2s connections are listened for on port 5269 (all IPv4 addresses)
with STARTTLS for secured traffic enabled. with STARTTLS for secured traffic required.
Incoming and outgoing connections of remote XMPP servers are denied, Incoming and outgoing connections of remote XMPP servers are denied,
only two servers can connect: "jabber.example.org" and "example.com". only two servers can connect: "jabber.example.org" and "example.com".
\item Port 5280 is serving the Web Admin and the HTTP Polling service \item Port 5280 is serving the Web Admin and the HTTP Polling service
@ -1150,7 +1151,7 @@ In this example, the following configuration defines that:
{service_check_from, false}]} {service_check_from, false}]}
] ]
}. }.
{s2s_use_starttls, true}. {s2s_use_starttls, required}.
{s2s_certfile, "/path/to/ssl.pem"}. {s2s_certfile, "/path/to/ssl.pem"}.
{s2s_default_policy, deny}. {s2s_default_policy, deny}.
{{s2s_host,"jabber.example.org"}, allow}. {{s2s_host,"jabber.example.org"}, allow}.

View File

@ -170,10 +170,10 @@
%% %%
%% s2s_use_starttls: Enable STARTTLS + Dialback for S2S connections. %% s2s_use_starttls: Enable STARTTLS + Dialback for S2S connections.
%% Allowed values are: true or false. %% Allowed values are: false optional required
%% You must specify a certificate file. %% You must specify a certificate file.
%% %%
%%{s2s_use_starttls, true}. %%{s2s_use_starttls, optional}.
%% %%
%% s2s_certfile: Specify a certificate file. %% s2s_certfile: Specify a certificate file.

View File

@ -154,11 +154,13 @@ stop_connection(Pid) ->
init([From, Server, Type]) -> init([From, Server, Type]) ->
process_flag(trap_exit, true), process_flag(trap_exit, true),
?DEBUG("started: ~p", [{From, Server, Type}]), ?DEBUG("started: ~p", [{From, Server, Type}]),
TLS = case ejabberd_config:get_local_option(s2s_use_starttls) of {TLS, TLSRequired} = case ejabberd_config:get_local_option(s2s_use_starttls) of
undefined -> UseTls when (UseTls==undefined) or (UseTls==false) ->
false; {false, false};
UseStartTLS -> UseTls when (UseTls==true) or (UseTls==optional) ->
UseStartTLS {true, false};
required ->
{true, true}
end, end,
UseV10 = TLS, UseV10 = TLS,
TLSOpts = case ejabberd_config:get_local_option(s2s_certfile) of TLSOpts = case ejabberd_config:get_local_option(s2s_certfile) of
@ -177,6 +179,7 @@ init([From, Server, Type]) ->
Timer = erlang:start_timer(?S2STIMEOUT, self(), []), Timer = erlang:start_timer(?S2STIMEOUT, self(), []),
{ok, open_socket, #state{use_v10 = UseV10, {ok, open_socket, #state{use_v10 = UseV10,
tls = TLS, tls = TLS,
tls_required = TLSRequired,
tls_options = TLSOpts, tls_options = TLSOpts,
queue = queue:new(), queue = queue:new(),
myname = From, myname = From,
@ -351,8 +354,8 @@ wait_for_validation({xmlstreamelement, El}, StateData) ->
case is_verify_res(El) of case is_verify_res(El) of
{result, To, From, Id, Type} -> {result, To, From, Id, Type} ->
?DEBUG("recv result: ~p", [{From, To, Id, Type}]), ?DEBUG("recv result: ~p", [{From, To, Id, Type}]),
case Type of case {Type, StateData#state.tls_enabled, StateData#state.tls_required} of
"valid" -> {"valid", Enabled, Required} when (Enabled==true) or (Required==false) ->
send_queue(StateData, StateData#state.queue), send_queue(StateData, StateData#state.queue),
?INFO_MSG("Connection established: ~s -> ~s with TLS=~p", ?INFO_MSG("Connection established: ~s -> ~s with TLS=~p",
[StateData#state.myname, StateData#state.server, StateData#state.tls_enabled]), [StateData#state.myname, StateData#state.server, StateData#state.tls_enabled]),
@ -361,6 +364,11 @@ wait_for_validation({xmlstreamelement, El}, StateData) ->
StateData#state.server]), StateData#state.server]),
{next_state, stream_established, {next_state, stream_established,
StateData#state{queue = queue:new()}}; StateData#state{queue = queue:new()}};
{"valid", Enabled, Required} when (Enabled==false) and (Required==true) ->
%% TODO: bounce packets
?INFO_MSG("Closing s2s connection: ~s -> ~s (TLS is required but unavailable)",
[StateData#state.myname, StateData#state.server]),
{stop, normal, StateData};
_ -> _ ->
%% TODO: bounce packets %% TODO: bounce packets
?INFO_MSG("Closing s2s connection: ~s -> ~s (invalid dialback key)", ?INFO_MSG("Closing s2s connection: ~s -> ~s (invalid dialback key)",