If set to 'true' (this is the default), new processes spawned by
ejabberd_listener will be attached to the corresponding supervisor.
No such processes will be attached to a supervisor otherwise.
Setting this to 'false' will improve performance of high loaded
systems where new C2S/S2S processes are spawned very rapidly.
Generate an [info] message that logs whether an incoming s2s connection
is authenticated using the SASL EXTERNAL mechanism or via Server
Dialback. While at it, also mention whether TLS is enabled.
Handle "s2s_use_starttls: required_trusted" the same way for outgoing
s2s connections as for incoming connections. That is, check the remote
server's certificate (including the host name) and abort the connection
if verification fails.
Don't try to look up and close outgoing connections to a given server
when aborting incoming connections from that server due to certificate
verification errors. The ejabberd_s2s:find_connection/2 call actually
created one or more *new* connections if less than 'max_s2s_connections'
connections were found. Then, no more than one of those possibly new
connections were stopped by the ejabberd_s2s_out:stop_connection/1 call.
It's not really necessary to bother with outgoing connections at all,
here.
Prior to this commit, ejabberd handled certificate authentication for
incoming s2s connections like this:
1. Verify the certificate without checking the host name. On failure,
behave according to 's2s_use_starttls'. On success:
2. Offer SASL EXTERNAL.
3. If the remote server chooses SASL EXTERNAL, compare the authorization
identity against the certificate host name(s). On failure, abort the
connection unconditionally.
ejabberd now does this instead:
1. Verify the certificate and compare the certificate host name(s)
against the 'from' attribute of the stream header. On failure,
behave according to 's2s_use_starttls'. On success:
2. Offer SASL EXTERNAL.
3. If the remote server chooses SASL EXTERNAL, ignore the authorization
identity (if any) and consider the peer authenticated.
The old behavior was suggested by previous versions of XEP-0178, the new
behavior is suggested by the current version 1.1.
Use dynamic Rebar configuration
Make iconv dependency optional
Disable transient_supervisors compile option
Add hipe compilation support
Only compile ibrowse and lhttpc when needed
Make it possible to generate an OTP application release
Add --enable-debug compile option
Add --enable-all compiler option
Add --enable-tools configure option
Add --with-erlang configure option.
Add --enable-erlang-version-check configure option.
Add lager support
Improve the test suite
Three changes were introduced:
1) ejabberd_s2s_in now uses p1_fsm instead of gen_fsm. And uses
the {max_queue, N} option to kill the process if its input
queue grows too much.
2) If a ejabberd_s2s_in process is overload and killed, the server
that originated that connection is not allowed to connect back
to us for X seconds (set to 60seconds on the source)
3) The list of blocked (both statically and dynamically by the above
method) host is now also checked for hosts authenticating by
starttls+sasl. Previusly it was only used during dialback.
* In ejabberd_s2s_out:wait_for_feature_request/2, the domain to use for
looking up domain_certfile options is #state.myname and not
#state.server
* If s2s_certfile is not specified, connect should still be part of the
tls options used by ejabberd_s2s_out
* Add #state.server to ejabberd_s2s_in processes and store the to
attribute in :wait_for_stream/2. Then use that server in
:wait_for_feature_request/2 to change the tls options like in
ejabberd_s2s_out.
Fixes EJAB-1086.
It was using the external server domain (LFrom) instead of the local domain (LTo).
This might have impact on mod_caps in s2s scenarios, needs further attention.
SVN Revision: 2583
get_info_s2s_connections(Type) returns a list of incoming (or outgoing)
S2S connections with information for each one including IP address,
port number, TLS options... (thanks to Juan Pablo Carlino)
SVN Revision: 2088
* src/msgs/uk.msg: Likewise
* src/mod_configure.erl: Updated translation strings (thanks to
Sergei Golovan)
* src/web/ejabberd_web_admin.erl: Likewise
* src/ejabberd_s2s_in.erl: Changed a path to PKIX includes (thanks
to Sergei Golovan)
SVN Revision: 525
and DNS name matching
* src/XmppAddr.asn1: Moved here from src/tls/XmppAddr.asn1
* src/tls/XmppAddr.asn1: Likewise
* src/Makefile.in: Updated
* src/tls/Makefile.in: Updated
SVN Revision: 435
* src/tls/tls.erl: Likewise
* src/ejabberd_s2s_in.erl: Support for STARTTLS+Dialback
* src/ejabberd_s2s_out.erl: Likewise
* src/ejabberd_receiver.erl: Added a few hacks ({active,once} mode
should be used instead of recv/3 call to avoid them)
* src/ejabberd_config.erl: Added s2s_use_starttls and s2s_certfile
options
* src/ejabberd.cfg.example: Likewise
SVN Revision: 426
(thanks to Leif Johansson)
* src/ejabberd_auth.erl: Added support for ldap_rootdn and
ldap_password options (thanks to Stefan de Konink)
* src/mod_vcard_ldap.erl: Likewise
* src/ejabberd_router.erl: Now possible to route packet via
function call instead of message sending
* src/ejabberd_sm.erl: Added function route/3, use it in route
table
* src/ejabberd_local.erl: Likewise
* src/ejabberd_s2s.erl: Likewise
* (all): Fixed spelling of word "authentication"
* src/*/Makefile.in: Replaced erlc with @ERLC@
SVN Revision: 285
* src/ejabberd_s2s_out.erl: Changed timeout processing
* src/msgs/ru.msg: Updated (thanks to Sergei Golovan)
* src/mod_muc/mod_muc.erl: Better i18n support, added support for
<registered/> field in iq:register replies (thanks to Sergei
Golovan)
* src/mod_register.erl: More i18n support (thanks to Sergei
Golovan)
SVN Revision: 181
* src/stringprep/: Added support for Unicode normalization form KC
* src/stringprep/: Added support for case convertion to multiple
characters
* src/cyrsasl_digest.erl: Temporary removed "auth-int" QOP
SVN Revision: 144
* src/ejabberd_s2s_out.erl: Likewise
* src/ejabberd_c2s.erl: Added sending of empty <stream:features/>
element after opening of authentificated stream
SVN Revision: 135