25
1
mirror of https://github.com/processone/ejabberd.git synced 2024-10-31 15:21:38 +01:00
Commit Graph

104 Commits

Author SHA1 Message Date
Holger Weiss
15d184a909 Disable TLS compression for s2s by default
TLS compression is not recommended, and it's already disabled by default
for c2s connections and for ejabberd_http.
2016-04-11 22:50:11 +02:00
Mickael Remond
dfc29ea03c Switch to Fast XML module 2016-02-03 19:03:17 +01:00
Badlop
f448ff608a Update copyright to 2016 (#901) 2016-01-13 12:29:14 +01:00
Evgeniy Khramtsov
c7931b4a4f CVE-2016-1232: Add Dialback Key Generation and Validation support (XEP-0185) 2016-01-11 14:22:17 +03:00
Evgeniy Khramtsov
95265dd3ad Move JID related functions to jid.erl (#847) 2015-11-24 18:44:13 +03:00
Christophe Romain
341be9b682 Remove supervisor option, disable it for c2s and muc 2015-11-04 16:24:35 +01:00
Christophe Romain
6aeb9dcb38 cosmetic cleanup 2015-10-07 14:18:38 +02:00
Holger Weiss
fc0754c609 Add s2s_dhfile to list of known options 2015-06-20 00:14:54 +02:00
Holger Weiss
e608274243 Add s2s_dhfile option to configuration validator 2015-06-16 15:18:34 +02:00
Alexey Shchepin
2110b929bc Merge pull request #581 from weiss/dh-param-file
New options: dhfile and s2s_dhfile
2015-06-16 11:59:06 +03:00
Evgeniy Khramtsov
fb6267f38e Add config validation at startup 2015-06-01 15:38:27 +03:00
Holger Weiss
5585fb1ecf New options: dhfile and s2s_dhfile
Let admins specify a file that contains custom parameters for
Diffie-Hellman key exchange.
2015-05-26 21:06:04 +02:00
Christophe Romain
0c0947a241 Add compatibility macros for deprecated types (thanks to Alexey) 2015-02-23 09:58:00 +01:00
Badlop
5a35405cd5 Update copyright dates to 2015 (EJAB-1733) 2015-01-08 17:34:43 +01:00
Holger Weiss
38c016a041 Log auth method for incoming s2s connections
Generate an [info] message that logs whether an incoming s2s connection
is authenticated using the SASL EXTERNAL mechanism or via Server
Dialback.  While at it, also mention whether TLS is enabled.
2014-08-05 14:10:32 +02:00
Evgeny Khramtsov
c37aa1b46d Merge pull request #185 from weiss/verify-cert-for-s2s-out
Support certificate verification for outgoing s2s connections
2014-04-30 00:08:24 +04:00
Holger Weiss
49bdbf2895 Support certificate verification for outgoing s2s
Handle "s2s_use_starttls: required_trusted" the same way for outgoing
s2s connections as for incoming connections.  That is, check the remote
server's certificate (including the host name) and abort the connection
if verification fails.
2014-04-28 01:42:02 +02:00
Holger Weiss
1aa4ed3f35 Don't mess with s2s out when aborting s2s in
Don't try to look up and close outgoing connections to a given server
when aborting incoming connections from that server due to certificate
verification errors.  The ejabberd_s2s:find_connection/2 call actually
created one or more *new* connections if less than 'max_s2s_connections'
connections were found.  Then, no more than one of those possibly new
connections were stopped by the ejabberd_s2s_out:stop_connection/1 call.

It's not really necessary to bother with outgoing connections at all,
here.
2014-04-28 00:17:05 +02:00
Holger Weiss
eabca82765 Send stream trailer before closing s2s connection
When aborting an incoming s2s connection due to certificate verification
errors, send a stream trailer before closing the socket.
2014-04-27 00:28:42 +02:00
Holger Weiss
86e17c379c Verify host name before offering SASL EXTERNAL
Prior to this commit, ejabberd handled certificate authentication for
incoming s2s connections like this:

1. Verify the certificate without checking the host name.  On failure,
   behave according to 's2s_use_starttls'.  On success:
2. Offer SASL EXTERNAL.
3. If the remote server chooses SASL EXTERNAL, compare the authorization
   identity against the certificate host name(s).  On failure, abort the
   connection unconditionally.

ejabberd now does this instead:

1. Verify the certificate and compare the certificate host name(s)
   against the 'from' attribute of the stream header.  On failure,
   behave according to 's2s_use_starttls'.  On success:
2. Offer SASL EXTERNAL.
3. If the remote server chooses SASL EXTERNAL, ignore the authorization
   identity (if any) and consider the peer authenticated.

The old behavior was suggested by previous versions of XEP-0178, the new
behavior is suggested by the current version 1.1.
2014-04-23 11:45:17 +02:00
Holger Weiss
4bc8b6bc9f Fix extraction of host names from certificates 2014-04-22 22:12:04 +02:00
Alexey Shchepin
f93758a3cd Merge pull request #160 from runcom/protocol_options
Add option to specify openssl options
2014-04-15 19:01:21 +04:00
badlop
285c4c17cf Merge pull request #146 from jamielinux/master
Update FSF address
2014-04-11 13:35:46 +02:00
Antonio Murdaca
fbf71f86f3 Add option to specify openssl options 2014-04-08 18:46:52 +02:00
Badlop
633d47f784 Update copyright dates to 2014 (EJAB-1679) 2014-03-13 12:30:57 +01:00
Jamie Nguyen
8538997d61 Update FSF address 2014-02-22 10:27:40 +00:00
Holger Weiss
e82a79efd5 Add missing parenthesis 2014-02-21 23:33:13 +01:00
Alexey Shchepin
1dd94ac0d0 Support for OpenSSL ciphers list in ejabberd_c2s, ejabberd_s2s_in and ejabberd_s2s_out 2013-11-28 19:39:11 +02:00
Badlop
389a99b2db Fix bypass for tls-required (thanks to Zeha) 2013-09-26 16:41:57 +02:00
Evgeniy Khramtsov
91a74e3e27 Change configuration file format to YAML 2013-08-21 22:17:59 +10:00
Evgeniy Khramtsov
a2ead99c83 Make it possible to enable/disable TLS compression 2013-07-17 22:46:18 +10:00
Evgeniy Khramtsov
4dc80dddd4 Fix all calls to functions of p1_tls application 2013-06-20 18:40:44 +10:00
Evgeniy Khramtsov
4d8f770624 Switch to rebar build tool
Use dynamic Rebar configuration
Make iconv dependency optional
Disable transient_supervisors compile option
Add hipe compilation support
Only compile ibrowse and lhttpc when needed
Make it possible to generate an OTP application release
Add --enable-debug compile option
Add --enable-all compiler option
Add --enable-tools configure option
Add --with-erlang configure option.
Add --enable-erlang-version-check configure option.
Add lager support
Improve the test suite
2013-06-13 11:11:02 +02:00
Badlop
9deb294328 Accumulated patch to binarize and indent code 2013-03-14 10:33:02 +01:00
Alexey Shchepin
0ae400533c Update copyright dates 2013-01-24 16:25:13 +02:00
Alexey Shchepin
b1e2538488 Update copyright dates 2012-02-23 17:52:34 +02:00
Badlop
d3369c83e7 Add callback function print_state/1 for behavior p1_fsm 2011-12-08 12:50:40 +01:00
Badlop
48308042b6 Use the regexp frontend module (EJAB-921) 2011-12-08 12:40:04 +01:00
Pablo Polvorin
cf973f27bb Prevent overload of incomming s2s connections
Three changes were introduced:

1) ejabberd_s2s_in now uses p1_fsm instead of gen_fsm.  And uses
   the {max_queue, N} option to kill the process if its input
   queue grows too much.
2) If a ejabberd_s2s_in process is overload and killed, the server
   that originated that connection is not allowed to connect back
   to us for X seconds (set to 60seconds on the source)
3) The list of blocked (both statically and dynamically by the above
   method) host is now also checked for hosts authenticating by
   starttls+sasl. Previusly it was only used during dialback.
2011-12-02 15:30:20 -03:00
Pablo Polvorin
87df27109a Fix bug on s2s shaper when TLS is used
The shaper was not enabled if the remote server authenticates
using a certificate instead of dialback.
2011-12-01 13:16:21 -03:00
Christophe Romain
fd52f2cb7d update copyright up to 2011 2011-02-14 13:50:55 +01:00
Badlop
b9bbe19d4c Option to reject S2S connection if untrusted certificate (EJAB-464) 2010-12-11 02:29:53 +01:00
Badlop
faf422202f When TLS is required in s2s, add subelement to stream:features starttls 2010-12-11 02:29:50 +01:00
Andreas Köhler
e34eebb5ad Correct domain_certfile tlsopts modifications for s2s connections (EJAB-1086)
* In ejabberd_s2s_out:wait_for_feature_request/2, the domain to use for
  looking up domain_certfile options is #state.myname and not
  #state.server

* If s2s_certfile is not specified, connect should still be part of the
  tls options used by ejabberd_s2s_out

* Add #state.server to ejabberd_s2s_in processes and store the to
  attribute in :wait_for_stream/2. Then use that server in
  :wait_for_feature_request/2 to change the tls options like in
  ejabberd_s2s_out.

Fixes EJAB-1086.
2010-11-26 00:14:46 +01:00
Andreas Köhler
6eeb355a22 Use LFrom and LTo consistently in ejabberd_s2s_in:stream_established/2 (EJAB-1342) 2010-11-17 12:57:05 +01:00
Badlop
12e00c57f9 When using OTP R14, use public_key library instead of old ssl (EJAB-953) 2010-07-12 13:57:07 +02:00
Evgeniy Khramtsov
715cc5ea3b New configure option: --enable-nif 2010-07-01 20:54:01 +10:00
Evgeniy Khramtsov
58590cf08d full support for XEP-0115 v1.5 (EJAB-1223) (EJAB-1189) 2010-05-08 02:32:57 +10:00
Badlop
7b76fdcde7 Update year of ProcessOne copyright from 2009 to 2010 (EJAB-1159)
SVN Revision: 2891
2010-01-12 16:11:32 +00:00
Pablo Polvorin
9d8de17b4d Use the local (target) domain for firing the s2s_receive_packet hook.
It was using the external server domain (LFrom) instead of the local domain (LTo).  
This might have impact on mod_caps in s2s scenarios, needs further attention.

SVN Revision: 2583
2009-09-04 21:31:03 +00:00