25
1
mirror of https://github.com/processone/ejabberd.git synced 2024-11-28 16:34:13 +01:00
Commit Graph

133 Commits

Author SHA1 Message Date
Evgeniy Khramtsov
2d43c07c62 Get rid of ejabberd receiver
ejabberd receivers were meant to serve connections from frontends
to backends. However, this approach was not popular and frontend
related code was removed in previous releases. Now, ejabberd receiver's
code was also removed, making the code shorter and cleaner. Also, in
stress tests ejabberd now handles load more robustly, without
c2s processes overload (even with disabled shapers).

ejabberd_socket.erl is renamed to xmpp_socket.erl: it's supposed to
be finally moved into stand-alone xmpp library.
2017-12-26 18:55:57 +03:00
Evgeniy Khramtsov
08ce16f7ca Change loglevel of TLS failures 2017-12-19 15:33:30 +03:00
Evgeniy Khramtsov
c72e0a6ca6 Log warnings for c2s/s2s certfile option 2017-11-03 08:32:34 +03:00
Evgeniy Khramtsov
5bb7a0b0db Don't let a receiver to crash if a controller is unavailable
Fixes #1796
2017-06-22 16:58:46 +03:00
Holger Weiss
5802062746 Cosmetic change: Fix indentation errors 2017-05-24 17:16:16 +02:00
Evgeniy Khramtsov
cc58ce6301 Introduce Certficate Manager
The major goal is to simplify certificate management in ejabberd.
Currently it requires some effort from a user to configure certficates,
especially in the situation where a lot of virtual domains are hosted.

The task is splitted in several sub-tasks:
* Implement basic certificate validator. The validator should check all
configured certificates for existence, validity, duration and so on. The
validator should not perform any actions in the case of errors except
logging an error message. This is actually implemented by this commit.
* All certificates should be configured inside a single section (something
like 'certfiles') where ejabberd should parse them, check the full-chain,
find the corresponding private keys and, if needed, resort chains and
split the certficates into separate files for easy to use by fast_tls.
* Options like 'domain_certfile', 'c2s_certfile' or 's2s_certfile' should
probably be deprecated, since the process of matching certificates with the
corresponding virtual hosts should be done automatically and these options
only introduce configuration errors without any meaningful purpose.
2017-05-12 16:27:09 +03:00
Evgeniy Khramtsov
8368a0850a Don't call gen_mod:get_opt() outside of modules 2017-05-08 14:34:35 +03:00
Evgeniy Khramtsov
01a2c9fe12 Add type specs for Module:opt_type/1 2017-05-08 12:59:28 +03:00
Evgeniy Khramtsov
fddd6110e0 Don't validate an option in gen_mod:get*opt() functions
The changes are very similar to those from previous commit:
* Now there is no need to pass validating function in
  gen_mod:get_opt() and gen_mod:get_module_opt() functions,
  because the modules' configuration keeps already validated values.
* New functions gen_mod:get_opt/2 and gen_mod:get_module_opt/3 are
  introduced.
* Functions gen_mod:get_opt/4 and get_module_opt/5 are deprecated.
  If the functions are still called, the "function" argument is
  simply ignored.
* Validating callback Mod:listen_opt_type/1 is introduced to validate
  listening options at startup.
2017-04-30 19:01:47 +03:00
Evgeniy Khramtsov
5774edfe79 Improve ejabberd_c2s:close() 2017-04-15 08:30:41 +03:00
Christophe Romain
b1acd1183f Rename aux.erl as misc.erl
Thanks Microsoft Windows to not support some filenames
2017-04-11 12:13:58 +02:00
Evgeniy Khramtsov
7bcbea2108 Deprecate jlib.erl in favor of aux.erl
Since the main goal of jlib.erl is lost, all auxiliary functions
are now moved to aux.erl, and the whole jlib.erl is now deprecated.
2017-03-30 14:17:13 +03:00
Evgeniy Khramtsov
dd11ed82d7 Report more TLS errors 2017-03-08 08:27:54 +03:00
Evgeniy Khramtsov
d0a185f2d9 Report some TLS errors 2017-03-07 18:46:02 +03:00
Evgeniy Khramtsov
7d68112265 Start/stop virtual hosts when reloading configuration file 2017-02-23 10:12:19 +03:00
Evgeniy Khramtsov
8b2d308498 Change routing API
Now 'From' and 'To' arguments must be omitted in functions
and structures related to routing.
The commit deprecates the following functions:
     ejabberd_router:route/3 in favor of ejabberd_router:route/1
     ejabberd_router:route_error/4 in favor of ejabberd_router:route_error/2
     ejabberd_local:route_iq/4 in favor of ejabberd_local:route_iq/2
     ejabberd_local:route_iq/5 in favor of ejabberd_local:route_iq/3
The format of {route, From, To, Packet} is changed in favor of {route, Packet}
2017-02-16 11:10:24 +03:00
Evgeniy Khramtsov
6fd89f5fe0 Attach IP metadata to every stanza received from stream 2017-02-14 17:09:25 +03:00
Evgeniy Khramtsov
d5d906184f Merge branch 'new_stream'
Conflicts:
	src/cyrsasl.erl
	src/ejabberd_c2s.erl
	src/ejabberd_cluster.erl
	src/ejabberd_frontend_socket.erl
	src/ejabberd_node_groups.erl
	src/ejabberd_router.erl
	src/mod_bosh.erl
	src/mod_ip_blacklist.erl
	src/mod_muc_mnesia.erl
	src/mod_offline.erl
	src/mod_proxy65_sm.erl
2017-01-20 19:35:46 +03:00
Evgeniy Khramtsov
31491ebe16 Fix some corner cases while re-reading RFC6120 2017-01-13 11:35:47 +03:00
Evgeniy Khramtsov
5cfe57ece5 Add 'supervisor' listening option
If set to 'true' (this is the default), new processes spawned by
ejabberd_listener will be attached to the corresponding supervisor.
No such processes will be attached to a supervisor otherwise.
Setting this to 'false' will improve performance of high loaded
systems where new C2S/S2S processes are spawned very rapidly.
2017-01-11 10:56:04 +03:00
Evgeniy Khramtsov
1e55e018e5 Adopt remaining code to support new hooks 2017-01-09 17:02:17 +03:00
Badlop
5fdd1c39fe Update copyright date automatically (#1442) 2017-01-02 21:42:06 +01:00
Evgeniy Khramtsov
e7fe4dc474 More refactoring on session management 2016-12-30 00:00:36 +03:00
Evgeniy Khramtsov
309bdfbe28 Add xmpp_stream_out behaviour and rewrite s2s/SM code 2016-12-28 09:47:11 +03:00
Evgeniy Khramtsov
58969fb854 Improve namespace handling 2016-09-24 14:17:21 +03:00
Evgeniy Khramtsov
53209b9ab1 Add tests for s2s code 2016-09-23 12:30:33 +03:00
Evgeniy Khramtsov
c29a48695d Rename #error{} record to #stanza_error{} 2016-09-08 17:08:48 +03:00
Evgeniy Khramtsov
522a186a38 Improve some type specs 2016-08-09 10:56:32 +03:00
Evgeniy Khramtsov
c409ed2f2c Rewrite S2S and ejabberd_service code to use XML generator 2016-07-27 10:45:08 +03:00
Holger Weiss
15d184a909 Disable TLS compression for s2s by default
TLS compression is not recommended, and it's already disabled by default
for c2s connections and for ejabberd_http.
2016-04-11 22:50:11 +02:00
Mickael Remond
dfc29ea03c Switch to Fast XML module 2016-02-03 19:03:17 +01:00
Badlop
f448ff608a Update copyright to 2016 (#901) 2016-01-13 12:29:14 +01:00
Evgeniy Khramtsov
c7931b4a4f CVE-2016-1232: Add Dialback Key Generation and Validation support (XEP-0185) 2016-01-11 14:22:17 +03:00
Evgeniy Khramtsov
95265dd3ad Move JID related functions to jid.erl (#847) 2015-11-24 18:44:13 +03:00
Christophe Romain
341be9b682 Remove supervisor option, disable it for c2s and muc 2015-11-04 16:24:35 +01:00
Christophe Romain
6aeb9dcb38 cosmetic cleanup 2015-10-07 14:18:38 +02:00
Holger Weiss
fc0754c609 Add s2s_dhfile to list of known options 2015-06-20 00:14:54 +02:00
Holger Weiss
e608274243 Add s2s_dhfile option to configuration validator 2015-06-16 15:18:34 +02:00
Alexey Shchepin
2110b929bc Merge pull request #581 from weiss/dh-param-file
New options: dhfile and s2s_dhfile
2015-06-16 11:59:06 +03:00
Evgeniy Khramtsov
fb6267f38e Add config validation at startup 2015-06-01 15:38:27 +03:00
Holger Weiss
5585fb1ecf New options: dhfile and s2s_dhfile
Let admins specify a file that contains custom parameters for
Diffie-Hellman key exchange.
2015-05-26 21:06:04 +02:00
Christophe Romain
0c0947a241 Add compatibility macros for deprecated types (thanks to Alexey) 2015-02-23 09:58:00 +01:00
Badlop
5a35405cd5 Update copyright dates to 2015 (EJAB-1733) 2015-01-08 17:34:43 +01:00
Holger Weiss
38c016a041 Log auth method for incoming s2s connections
Generate an [info] message that logs whether an incoming s2s connection
is authenticated using the SASL EXTERNAL mechanism or via Server
Dialback.  While at it, also mention whether TLS is enabled.
2014-08-05 14:10:32 +02:00
Evgeny Khramtsov
c37aa1b46d Merge pull request #185 from weiss/verify-cert-for-s2s-out
Support certificate verification for outgoing s2s connections
2014-04-30 00:08:24 +04:00
Holger Weiss
49bdbf2895 Support certificate verification for outgoing s2s
Handle "s2s_use_starttls: required_trusted" the same way for outgoing
s2s connections as for incoming connections.  That is, check the remote
server's certificate (including the host name) and abort the connection
if verification fails.
2014-04-28 01:42:02 +02:00
Holger Weiss
1aa4ed3f35 Don't mess with s2s out when aborting s2s in
Don't try to look up and close outgoing connections to a given server
when aborting incoming connections from that server due to certificate
verification errors.  The ejabberd_s2s:find_connection/2 call actually
created one or more *new* connections if less than 'max_s2s_connections'
connections were found.  Then, no more than one of those possibly new
connections were stopped by the ejabberd_s2s_out:stop_connection/1 call.

It's not really necessary to bother with outgoing connections at all,
here.
2014-04-28 00:17:05 +02:00
Holger Weiss
eabca82765 Send stream trailer before closing s2s connection
When aborting an incoming s2s connection due to certificate verification
errors, send a stream trailer before closing the socket.
2014-04-27 00:28:42 +02:00
Holger Weiss
86e17c379c Verify host name before offering SASL EXTERNAL
Prior to this commit, ejabberd handled certificate authentication for
incoming s2s connections like this:

1. Verify the certificate without checking the host name.  On failure,
   behave according to 's2s_use_starttls'.  On success:
2. Offer SASL EXTERNAL.
3. If the remote server chooses SASL EXTERNAL, compare the authorization
   identity against the certificate host name(s).  On failure, abort the
   connection unconditionally.

ejabberd now does this instead:

1. Verify the certificate and compare the certificate host name(s)
   against the 'from' attribute of the stream header.  On failure,
   behave according to 's2s_use_starttls'.  On success:
2. Offer SASL EXTERNAL.
3. If the remote server chooses SASL EXTERNAL, ignore the authorization
   identity (if any) and consider the peer authenticated.

The old behavior was suggested by previous versions of XEP-0178, the new
behavior is suggested by the current version 1.1.
2014-04-23 11:45:17 +02:00
Holger Weiss
4bc8b6bc9f Fix extraction of host names from certificates 2014-04-22 22:12:04 +02:00