Re: Stepping down
W dniu nie, 21.01.2018 o godzinie 15∶01 +0100, użytkownik Alexandre Jousset napisał: > Has anyone already shown interest to become the new maintainer? Nope. As you can see on GitHub, activity recently was close to none. > I don't know if I'm skilled enough but instead of letting it > die, I would like to become the maintainer if nobody with better > skills wants to :-) Judging by your contributions to jabberd2, I see no problem in passing the project to you. > BTW I was recently doing some load test and having thought > about solving the SPOF of the router process, [...] We already had a _lengthy_ discussion on list on my vision how to multiply the router: https://www.mail-archive.com/jabberd2@lists.xiaoka.com/msg01909.html Your work still lives in: https://github.com/jabberd2/jabberd2/tree/mesh But my latest approach was to ditch the router component in favor to message bus (using 0MQ). See discussion at https://gitter.im/jabberd2/jabberd2?at=56b8b4e9939ffd5d15f671e1 This is what https://github.com/jabberd2/jabberd2/commits/ashnazg branch implemented and jabberd3 code (which was born of ashnazg branch) was going for. > In any case I wish you the best for the future :-) Thanks. ☺
Re: Stepping down
W dniu nie, 21.01.2018 o godzinie 01∶34 +0100, użytkownik Matěj Cepl napisał: > On Sat, 2018-01-20 at 23:57 +0000, Tomasz Sterna wrote: > > - https://github.com/smokku/jabberd3 > > - https://github.com/smokku/traffx > > But both of these projects are already dead, aren't they? (You > seemed to indicate you are leaving XMPP world as such) I won't be developing these anymore, (in fact I wasn't for some time now), thus there is no reason for these to sit on my HDD. I opened the source so anyone could pick it up and make something usefull of these.
Stepping down
Hello. This e-mail is to make it official, that I am stepping down as a maintainer of jabberd2 project. Over the years my interests drifted away from Jabber/XMPP and in fact I wasn't contributing much to the project lately. I did my best to accept the submissions, but not much more. This situation does not benefit the project, nor me, so it is time to oficially step down. Directly related to this, I will be shutting down all my XMPP related services - including this mailing list, as the virtual machine hosting it is going away. It is financed up to end of February, so expect it to go down during March 2018. As a consolation, I am opening the source of other XMPP servers I've been working over the years. These are provided as-is at the current stage of development. Both are working and able to participate in XMPP Federation. - https://github.com/smokku/jabberd3 my work to modernize jabberd2 and merge some of jabberd14 code - https://github.com/smokku/traffx Node.js/node-xmpp based server to be deployed in The Cloud This was hell of a journey. Best regards to all I crossed paths with and best wishes. -- smoku @ http://abadcafe.pl/ @ http://xiaoka.com/
Re: WebSocket port?
W dniu sob, 23.12.2017 o godzinie 17∶05 -0500, użytkownik James Bellinger napisał: > I added to the c2s configuration, but as far as I can > tell, no new ports are open and nothing has changed. > > How do I specify a port etc. for wss:// ? jabberd2 autodetects HTTP on standard C2S port. It was mostly usefull to listen C2S on 80/443 to bypass firewalls and redirect real HTTP connections to real HTTP server. This mechanism allows now to autodetect WebSocket on standard C2S port. So you just use ws://example.com:5222/ and wss://example.com:5223/ As simple as that. Of course you can enable C2S listener on any non-standard port like 5280 etc. -- smoku @ http://abadcafe.pl/ @ http://xiaoka.com/
Re: disable TLS 1.0
W dniu czw, 20.07.2017 o godzinie 14∶48 +0300, użytkownik Alexander Velin napisał: > How does one configure available SSL protocols (not ciphers), in > particular, to disable TLS 1.0 and leave only 1.1 and 1.2 ? You need to compile with ./configure --enable-experimental flag. https://github.com/jabberd2/jabberd2/commit/ee0f2ce8b148f0476ee9c41c071873c79751c0d9#diff-a4bd824bd7667649eaaadceaf81d55efR661 -- /o__ (_<^' You're already carrying the sphere!
jabberd-2.6.1 release
It is time for next jabberd2 release. Get 2.6.1 release at GitHub: https://github.com/jabberd2/jabberd2/releases This is a security bugfix release. Make sure to read the NEWS before upgrade: https://github.com/jabberd2/jabberd2/blob/jabberd-2.6.1/NEWS This release fixes a bug allowing anyone to authenticate using SASL ANONYMOUS, even when sasl.anonymous c2s.xml option is not enabled. https://github.com/jabberd2/jabberd2/commits/jabberd-2.6.1 -- smoku @ http://abadcafe.pl/ @ http://xiaoka.com/
ANONYMOUS auth bug
Current 2.6.0 release has some kind of bug, that allows ANONYMOUS login even when sasl.anonymous is disabled in c2s.xml. Yesterday I noticed, that spammers are using this bug to send spam via my server, using ANONYMOUS logins. I am working on a fix. This mail is to serve as a warning. I've been able to workaround this bug by disabling "auto-create" in sm.xml, so the spammer can log in ANONYMOUS, but is not able to create SM session for not-existing account. Will keep you informed about a progress of the fix. -- smoku @ http://abadcafe.pl/ @ http://xiaoka.com/
jabberd-2.6.0 release
It is time for next jabberd2 release. Get 2.6.0 release at GitHub: https://github.com/jabberd2/jabberd2/releases This is a bugfix release. Make sure to read the NEWS before upgrade: https://github.com/jabberd2/jabberd2/blob/jabberd-2.6.0/NEWS Changes: * Better SASL error messages https://github.com/jabberd2/jabberd2/commits/jabberd-2.6.0 -- smoku @ http://abadcafe.pl/ @ http://xiaoka.com/
jabberd-2.6.0 release
It is time for next jabberd2 release. Get 2.6.0 release at GitHub: https://github.com/jabberd2/jabberd2/releases This is a bugfix release. Make sure to read the NEWS before upgrade: https://github.com/jabberd2/jabberd2/blob/jabberd-2.6.0/NEWS Changes: * Better SASL error messages https://github.com/jabberd2/jabberd2/commits/jabberd-2.6.0 -- smoku @ http://abadcafe.pl/ @ http://xiaoka.com/
New website look
Hello. I got bored with the look of http://jabberd2.org which was something looking like taken straight from the 80s ;-), so I took an attempt of making it more modern. Hope you like it. -- smoku @ http://abadcafe.pl/ @ http://xiaoka.com/ signature.asc Description: This is a digitally signed message part
jabberd-2.5.0 release
It is about time for next jabberd2 release. Get 2.5.0 release at GitHub: https://github.com/jabberd2/jabberd2/releases This is a bugfix release. Make sure to read the NEWS before upgrade: https://github.com/jabberd2/jabberd2/blob/jabberd-2.5.0/NEWS Changes: * Do not attempt to reload SM modules on SIGHUP * Cleanup config files example * Fixed memory leak in pgsql storage driver * Fixed two double-frees caused by dangling pointers * Fixed c2s logger initialization point https://github.com/jabberd2/jabberd2/commits/jabberd-2.5.0 -- /o__ Going to church does not make a person religious, nor does going to school (_<^' make a person educated, any more than going to a garage makes a person a car. signature.asc Description: This is a digitally signed message part
Re: Stale c2s connection leads to loosing messages without any notice
W dniu 28.09.2016, śro o godzinie 15∶15 +0200, użytkownik Deweloper napisał: > IMHO in step 2 server should notice an error sending message to Bob > (detect stale connection), change it's state to "offline" and store > the message for further delivery. By design how TCP works, it is possible to detect a broken connection only by writing to that connection. And one write is not enough, because it will succeed even on half- closed connections, as the bytes are passed to network buffers and sent over the wire successfully. > If that's impossible due to very long timeout, then the messages > should still be kept in storage unless client acknowledges their > receipt, Unfortunately, there is no such feature built into XMPP. If the message gets lost in transit, it is just gone. With no feedback. You need to do active, client side acking as in XEP-0184 [1]. And then it is the client responsibility to resend unacked messages. > Or, at least, Alice should get "undelivered message" errors in step 4 Also, no such feature in XMPP. The server has no way of knowing whether the message reached the destination, without active recipient's application level cooperation. > > Sadly, with the current approach the communication is simply > unreliable. Unfortunately, this is how it is. TCP does not guarantee delivery [2] and so does not XMPP binding to TCP. [1] http://xmpp.org/extensions/xep-0184.html [2] http://lkml.iu.edu/hypermail/linux/kernel/0106.1/1154.html -- /o__ "Zaphod grinned two manic grins, sauntered over to the bar (_<^' and bought most of it." signature.asc Description: This is a digitally signed message part
Re: stale connections, keepalive?
W dniu 29.08.2016, pon o godzinie 12∶41 -0400, użytkownik Greg Troxel napisał: > dropping idle connections from its NAT table without > > telling anyone, so later when mobile network closed a connection it > > silently dropped RST packets not knowing who to NAT them to. [...] > Are you saying that a cell provider tracks TCP state and when the > data connection is lost sends RST packets for open connections? I am blissfully oblivious to inner workings of wide area switching networks, but it sure looked like so when I was investigating the dangling connections issue. And a quick look at PDP_context[1] gives impression that it has specific knowledge of the established connections. [1] https://en.wikipedia.org/wiki/GPRS_core_network#PDP_context -- /o__ (_<^' All generalisations are dangerous, including this one. signature.asc Description: This is a digitally signed message part
Re: stale connections, keepalive?
W dniu 28.08.2016, nie o godzinie 22∶45 +0200, użytkownik Christof Meerwald napisał: > > I'm not sure [...] > > Are you sure? [...] -- /o__ (_<^' One good turn deserves another.
Re: stale connections, keepalive?
W dniu 27.08.2016, sob o godzinie 14∶55 -0400, użytkownik Greg Troxel napisał: > should jabberd2 force TCP keepalive on? I'm not sure whether it is possible. At least on Linux it is a system-wide setting and requires root to change. > should c2s (and s2s probably, but less likely to be an issue) close > client connections if it has not seen anything from the client in > some time period, like 8h? > is there any expectation in the protocol that clients should be > doing any application-level keep-alive? jabberd2 has support for application layer keepalives. See io.keepalive [1][2] options. Setting this up will flush single whitespace character over the wire when the connection dangs idle. This triggers the TCP layer connection validation. Having said that, I am running my server without both application layer and TCP keepalives turned on and see no issues with dangling connections. But.. I had them a lot, when my server was behind a buggy Cisco router doing NAT. It was dropping idle connections from its NAT table without telling anyone, so later when mobile network closed a connection it silently dropped RST packets not knowing who to NAT them to. This was causing a lot of dangling connections on my server. Maybe you should investigate your network before turning on keepalives as they cause unnecessary data transfer and battery usage on the mobile devices. [1] https://github.com/jabberd2/jabberd2/blob/master/etc/c2s.xml.dist.in#L335 [2] https://github.com/jabberd2/jabberd2/blob/master/etc/s2s.xml.dist.in#L228 -- /o__ Q: How many Zen masters does it take to screw in a light bulb? (_<^' A: None. The Universe spins the bulb, and the Zen master stays out signature.asc Description: This is a digitally signed message part
Re: Future of jabberd
W dniu 30.05.2016, pon o godzinie 20∶05 +0200, użytkownik Tomasz Sterna napisał: > I am still not fond of the synchronous nature of storage interface, > but changing this would require rewriting it from scratch. > Also having an asynchronous interface for immediate in nature > backends like file backend or BDB, would require arm twisting. Let's have it in the open: https://github.com/jabberd2/jabberd2/issues/120 -- smoku @ http://abadcafe.pl/ @ http://xiaoka.com/ signature.asc Description: This is a digitally signed message part
Re: Future of jabberd
W dniu 31.05.2016, wto o godzinie 16∶31 +, użytkownik Shawn Debnath napisał: > Re 1. Merging separate daemons to one. > I am not sure if merging them into one process is the best idea. It > sure is convenient, but isolation is a nice thing to have. Specially, > when you have unauthorized users hammering on C2S. Oh. I wasn't clear on that. You will have the option to choose which components you want to run in process, so if you wish you can keep the current setup of having one process for each component. Possibly on different machines. I just want the simple setup to have the option to run all components in one process. -- smoku @ http://abadcafe.pl/ @ http://xiaoka.com/ signature.asc Description: This is a digitally signed message part
Re: jabberd-2.4.0 release
W dniu 31.05.2016, wto o godzinie 00∶39 -0700, użytkownik li...@lazygranch.com napisał: > ./configure --with-extra-library-path /usr/local/lib --with-extra- > include-path /usr/local/include > yielded > > checking build system type... /usr/local/lib > configure: error: invalid value of canonical build Double-dash options format is: --long-option=value So, you need: ./configure --with-extra-library-path=/usr/local/lib --with-extra-include-path=/usr/local/include -- /o__ In case of injury notify your superior immediately. He'll kiss it and (_<^' make it better.
Re: Future of jabberd
W dniu 30.05.2016, pon o godzinie 10∶31 +0200, użytkownik Tomasz Sterna napisał: > 7. DBI interface to RDBM. Just one more question. Do you (ML) have a use case for having SM storage in SQL? Is it just for distributed SM only? Maybe it is not worth the effort and we should just drop it and embed something like LMDB [1] in? I do see value of having SQL backend for authreg, to integrate with existing userbase, but SM storage? Does it really need to be abstracted? [1] https://en.wikipedia.org/wiki/Lightning_Memory-Mapped_Database -- /o__ (_<^' The best cure for insomnia is to get a lot of sleep. -W.C. Fields signature.asc Description: This is a digitally signed message part
Re: Future of jabberd
W dniu 30.05.2016, pon o godzinie 12∶50 -0700, użytkownik li...@lazygranch.com napisał: > Do you really have to cache something in jabberd when the data can be > pulled from the sql database? Sure the data has changed. But if you > pull a fresh record each time, I don't see the issue. Unfortunately RDBMs are notorious to be a choking point. You just cannot fetch data over and over again and expect reasonable preformance. This is the reason for raise of memcached, redis etc. Also, see: https://metajack.wordpress.com/2008/08/26/choosing-an-xmpp-server/ -- /o__ (_<^' I must follow the people. Am I not their leader? -Benjamin Disraeli signature.asc Description: This is a digitally signed message part
Re: Future of jabberd
W dniu 30.05.2016, pon o godzinie 15∶40 +0200, użytkownik Matěj Cepl napisał: > https://metajack.wordpress.com/2008/08/26/choosing-an-xmpp-server/ > > by heart, don't you? When doing large changes in the > codebase, it would be probably prudent to take those > objections into considertaion, especially database > transaction “abuse”. :-) https://github.com/jabberd2/jabberd2/blob/master/etc/sm.xml.dist.in#L212 I am still not fond of the synchronous nature of storage interface, but changing this would require rewriting it from scratch. Also having an asynchronous interface for immediate in nature backends like file backend or BDB, would require arm twisting. But I do keep it in mind. -- /o__ "Zaphod grinned two manic grins, sauntered over to the bar (_<^' and bought most of it." signature.asc Description: This is a digitally signed message part
Re: Future of jabberd
W dniu 30.05.2016, pon o godzinie 10∶00 -0700, użytkownik li...@lazygranch.com napisał: > That is one of the beauties of programs written around standard tools > like sql. You can hook into the database and add features, or not. The issue with this approach is that SM component caches user data and has no way of knowing that data was changed directly in database backend. http://martinfowler.com/bliki/TwoHardThings.html -- smoku @ http://abadcafe.pl/ @ http://xiaoka.com/ signature.asc Description: This is a digitally signed message part
Future of jabberd
There are some things we already talked about on Gitter channel [1], but I would like to raise them on the ML for peer review. As you can see from late activity, jabberd2 project is far from dead. With the inclusion of new features like WebSocket support, C99 code compatibility, IPv6 improvements, modern TLS handling, SASL Anonymous, password hashing, CRAM-MD5 and more... it is not a stale codebase anymore. But it is far from modern too... There are some changes I would like to introduce in the near future and I would like to hear your thoughts about: 1. Merging separate daemons to one. Current design of jabberd2 with separate router, sm, c2s, s2s processes is designed to allow nice separation of concerns and distribution of processing. Separate processes are proved to be better approach than threads too. But most installations of jabberd are not distributed, with one instance of each component. Especially when c2s and sm got vhost support and are able to handle more than one domain. Also, modern OS architectures are tuned for event processing rather than multithreading, so event based architecture is better suited for them. Even jabberd2 process internally is event based on MIO. So, it makes sense to allow for running all component instances in one process, especially on amateur, low load servers. Merging processes will allow for having one main loop only, so maintaining bugfixes in it will be easier (main.c of all processes is a copy-paste, with all the bugs, so bugs are also multiplied). 2. Phasing out MIO. This is closely related to above. MIO used by jabberd2 does not have clerar main loop support, which is implemented separately in each component main.c and is hardly pluggable. Also, the way MIO is implemented (in .h file, with platform specific bits in .c) makes it a maintanance nightmare. I would really like to replace it with a modern, upstream maintained event library. The nicest one I know is libuv, which also gives us nice platform independence layer. I already have a working c2s port to libuv as a PoC. 3. Phasing out router. router component is the one binding all the others. In current design it is the single point of failure. Other components already support multiple instances, but router proved to be difficult to multiply. The most radical, yet compelling solution to this problem is getting rid of the router at all. There are many cooked solutions for local packet distribution, which Local Message Bus [2] looks like most promising solution. I would see either Mbus [3] or NN_BUS [4] taking role of router component. The added advantage of using a Message Bus is the ability to connect to the bus with alternative implementations to perform own actions. i.e. having the ability to use CLI tools to eavesdrop and send messages to the bus proved to be priceless when I implemented a PoC of the Bus in experimental jabberd branch. Bus also solves the problem of distribution - it is up to the deployment administrator whether one sets up local, one-machine only bus or a network distributed one. 4. Configuration interface. A the moment jabberd is configured with static XML files loaded at daemon startup. It is close to impossible to change the values in runtime, as random places of the process are using copies of values or direct pointers to values from config structure. This heavily impedes implementation of features such as XEP-0133 Service Administration or Web interface. >From my experience, the best handling of such requirements is to provide write-only/change-subscribe interface similar to GConf/dconf. This interface does not allow reading on-demand of random values, but allows only subscription to change and write-value + publish change. This approach forces programmer to write value-change handlers in application code, which allows changing the value by anyone at any moment. Do you know any standalone library that implements such approach, or do I need to implement custom solution in jabberd codebase? 5. JavaScript support. Let's face it - JavaScript is all the hype today :-) It also is a very good language for data processing. I think it would be a good solution for implementation of modern XEP logic in sm component. sm is implemented in C with all RFC required logic, and all XEPs are loadable modules to sm and these add JEP/XEP functionality. Having an option to implement XEP logic in JS instead of plain C, should speed up recent and experimental XEP adoption in jabberd. This gives concerns to jabberd2 as an embedded server though - current jabberd2 is perfectly able to work fine on low resource machines such as DD-WRT router. Introducing heavy JS JIT machine could change that. But with the raise of fast, embeddable JavaScript interpreters like Duktape [5] it should be non-issue. 6. Proper logging. jabberd2 has two logging facilities: log and debug_log, with log logging only most interesting events and debug_log all the rest. To aid debugging issues with your deployment you may enable
Re: jabberd-2.4.0 release
W dniu 28.05.2016, sob o godzinie 11∶48 -0700, użytkownik li...@lazygranch.com napisał: > Right. But what exactly do I update? Sorry... I am a Linux guy, not familiar with FreeBSD internals. But I am pretty sure, FreeBSD also has some kind of dynamic linker. Seek its documentation. > I don't understand this: > > remember to update /etc/ld.so.conf too > Common issue is to build jabberd2 against libraries in non-standard > path and then jabberd2 fails to run, because dynamic linker cannot > find > these libraries. > This is a reminder, to update dynamic linker configuration file. -- smoku @ http://abadcafe.pl/ @ http://xiaoka.com/ signature.asc Description: This is a digitally signed message part
Re: jabberd-2.4.0 release
W dniu 27.05.2016, pią o godzinie 23∶57 -0700, użytkownik li...@lazygranch.com napisał: > I don't understand this: > remember to update /etc/ld.so.conf too Common issue is to build jabberd2 against libraries in non-standard path and then jabberd2 fails to run, because dynamic linker cannot find these libraries. This is a reminder, to update dynamic linker configuration file. -- smoku @ http://abadcafe.pl/ @ http://xiaoka.com/ signature.asc Description: This is a digitally signed message part
Re: jabberd-2.4.0 release
W dniu 27.05.2016, pią o godzinie 19∶14 -0700, użytkownik li...@lazygranch.com napisał: > Do you have both expat and its headers installed? > Verify headers: > /usr/local/include > > So is this a flag or environment variable I need to set? Yes. $ ./configure --help [...] --with-extra-include-path use additional include paths --with-extra-library-path use additional library paths (remember to update /etc/ld.so.conf too) -- smoku @ http://abadcafe.pl/ @ http://xiaoka.com/ signature.asc Description: This is a digitally signed message part
Re: jabberd-2.4.0 release
W dniu 26.05.2016, czw o godzinie 19∶46 -0700, użytkownik li...@lazygranch.com napisał: > This is from my attempt to compile the tar.gz file after doing > autoreconf -i > ./configure > > I get > ./configure: 12735: Syntax error: word unexpected (expecting ")") Do not use the source labeled "Source code (tar.gz)" - this is plain git source dump, not ready for direct consumption. Use the source labeled jabberd-2.4.0.tar.xz or jabberd-2.4.0.tar.gz (the ones with .asc signatures). These are prepared, with ./configure script etc. generated. P.S. or install autoconf-archive package -- /o__ (_<^' As famous as the unknown soldier. signature.asc Description: This is a digitally signed message part
Re: Trying to unsubscribe
W dniu 24.05.2016, wto o godzinie 03∶24 +0100, użytkownik David Woodfall napisał: > I've tried 2 or 3 times to unsubscribe from this list. Each time I > get acknowledgement that I have done so, but I still receive mail. > The list owner address doesn't seem to exist too. > If a list admin reads this, please unsubscribe me. Should be fixed now. SELinux intervened... ;-) Thanks for the report. I just went through whole subscribe-confirm-unsubscribe-confirm process without issues. -- /o__ (_<^' A Fortran compiler is the hobgoblin of little minis.
Re: jabberd-2.4.0 release
W dniu 23.05.2016, pon o godzinie 15∶38 -0400, użytkownik Greg Troxel napisał: > Does this imply that it should be safe, aside from cautions in NEWS, > to update a machine running 2.3.x to 2.4.0? Yes. No breaking changes. > Often a minor version change indicates something more dramatic than > bugfixes, so I thought I would ask. I am attempting to follow http://semver.org/ so every release should bring up MINOR number, with PATCH reserved for fixing screw-ups in MINOR release. 2.4.0 fixes bugs in XMPP/XEP/daemons implementation, not in the release process itself. So, expect 2.5.0 to follow up, not 2.4.1. -- /o__ (_<^' Captain's Log, star date 21:34.5... signature.asc Description: This is a digitally signed message part
jabberd-2.4.0 release
Next jabberd2 release is available. Get 2.4.0 release at GitHub: https://github.com/jabberd2/jabberd2/releases This is a bugfix release. Make sure to read the NEWS before upgrade: https://github.com/jabberd2/jabberd2/blob/jabberd-2.4.0/NEWS Changes: * Check for C99 support in compiler * Count RIO bytes and check against max stanza size * Gracefully drop unhandled HTTP connections * wss:// (WebSocket over SSL) support in c2s * Allow BareJID S10N packets * Fallback to connecting S2S using local.ip when none of the origin.ip works * Removed explicit SQLite transactions * SQLite postconnect SQL support * SQLite DB setup script improvements * Many Coverity Scan and cppcheck detected issues fixed * Properly lowercase SASL mechanisms in c2s * Support out-of-source build https://github.com/jabberd2/jabberd2/commits/jabberd-2.4.0 -- smoku @ http://abadcafe.pl/ @ http://xiaoka.com/ signature.asc Description: This is a digitally signed message part
Re: online/offline with a pipe in SM
W dniu 12.05.2016, czw o godzinie 15∶52 +0200, użytkownik Igor Zarraga napisał: > For me it would be good to have a module of SM to make a pipe and > send online/offline events of sessions to another system (like > authreg_pipe). Perphaps it block sm sending these events and affect > to scalability of the system. This is a cool idea. Please create a feature request on: https://github.com/jabberd2/jabberd2/issues/new and I will see into this. -- smoku @ http://abadcafe.pl/ @ http://xiaoka.com/ signature.asc Description: This is a digitally signed message part
Re: self signed cert
W dniu 03.05.2016, wto o godzinie 16∶51 -0700, użytkownik li...@lazygranch.com napisał: > I know when I used a web hosting company to handle my email, I would > yearly have to blindly trust the new cert. And this exact behavior I'd like to erradicate. Most users do not bother to check whether they are blindly accepting right certificate, or the certificate provided by middle-man. -- smoku @ http://abadcafe.pl/ @ http://xiaoka.com/ signature.asc Description: This is a digitally signed message part
Re: self signed cert
W dniu 03.05.2016, wto o godzinie 02∶12 -0700, użytkownik li...@lazygranch.com napisał: > jabberd2 version(2.3.6) > I followed these instructions: > https://github.com/jabberd2/jabberd2/wiki/InstallGuide-OpenSSLConfigu > ration > [...] > SM : sx (ssl.c:405) secure channel not established, handshake in > progress > SM : sx (ssl.c:59) verify error:num=18:self signed > certificate:depth=0:/C=US/ST=state/L=city/O=none/OU=none > /CN=mydomain.org/emailAddress=webmas...@mydomain.org > I guess I could catch X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT (18) in SSL_CTX_set_verify callback and pass the cert through, but I'm ambivalent about it... We should really discourage use of self-signed certificates. On the other hand, it really speeds-up test deployments. Maybe have it as an opition, to enable if you really-really need to use self-signed certificates? What do you think? -- smoku @ http://abadcafe.pl/ @ http://xiaoka.com/ signature.asc Description: This is a digitally signed message part
Re: self signed cert
W dniu 03.05.2016, wto o godzinie 02∶12 -0700, użytkownik li...@lazygranch.com napisał: > How exactly do I specify the cachain for a self signed cert. You need to put your root CA used to sign the cert to the CA certs store specified in 'cachain' option. This is to encourage deployments to stop using self-signed certs, of questionable security, and instead get a real cert. You can get real, widely accepted certs for free. > I get openssl error 18 meaning it can't be verified. Setting > verify-mode='0' didn't help. verify-mode sets how should the server verify client provided certificates. 0 (SSL_VERIFY_NONE[1]) is the default. [1] https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_verify.html -- /o__ (_<^' I respect faith, but doubt is what gives you an education. signature.asc Description: This is a digitally signed message part
Re: Can't log in;starttls;freebsd 10.2 ; jabberd2 version(2.3.6)
W dniu 01.05.2016, nie o godzinie 18∶57 -0700, użytkownik li...@lazygranch.com napisał: > realm="MYDOMAIN>COM" > permfile="/usr/local/etc/jabberd/jabber.pem" > ciphers="TLSv1.2, TLSv1.0" This is incorrect. See: http://abadcafe.pl/post/136618589813/configure-jabberd-2-for-xmppnet-score-a > require-starttls='true' You require StartTLS, let's remember that. > register-enable='false' > password-change='false' This is incorrect. These values work by setting them or not setting them - the value itself is irrelevant. > C2S : sx (io.c:301) encoding 250 bytes for writing: version='1.0'?> > xmlns='jabber:client' from='MYDOMAIN.COM' version='1.0' > id='LONGRANDOM' xmlns:ack='http://www.xmpp.org/extensions/xep-0198.ht > ml#ns'>; > > C2S : sx (sasl.c:260) ssl not established yet but the app requires > it, not offering mechanisms Here's a first clue. Your server said, that it require ssl, and your connection is not ssl yet, so it wont offer any auth mechanisms. Regardless that auth was not offered yet, your client attempted authentication: > C2S : sx (io.c:255) decoded read data (176 bytes): id="_xmpp_auth1" > type="set"> xmlns="jabber:iq:auth">SOMEUSERPASSWOR > D > profanity No wonder server borked on it. > C2S : Mon May 2 01:08:12 2016 c2s.c:392 pre STARTTLS packet, > dropping It even gave you a plain text description what went wrong: > C2S : sx (error.c:79) prepared error: xmlns:stream='http://etherx.jabber.org/streams'>; > > > STARTTLS is required for this stream I suggest using a standard conformant XMPP client for your tests. It shall make your live much easier. :-) -- /o__ Q: What's a light-year? (_<^' A: One-third less calories than a regular year.
Re: Accepted presence subscription never signaled to the subscriber
W dniu 01.04.2016, pią o godzinie 15∶06 +0200, użytkownik Philipp Jacob napisał: > from='localhost' to='localhost'> > type='subscribed' to='gloox@localhost'/> > > sx (io.c:301) encoding 210 bytes for writing: sx (io.c:255) decoded read data (210 bytes): > to='localhost' from='localhost'> > type='subscribed' from='user1@localhost/testclient'/> > > (io.c:96) completed nad: https://github.com/jabberd2/jabberd2/issues/new -- /o__ A verbal contract isn't worth the paper it's written on. Include (_<^' me out. -Samuel Goldwyn signature.asc Description: This is a digitally signed message part
Re: Accepted presence subscription never signaled to the subscriber
W dniu 01.04.2016, pią o godzinie 11∶04 +0200, użytkownik Philipp Jacob napisał: > In the router's debug output I can see the incoming subscribed > presence stanza from the contact: > sx (io.c:255) decoded read data (323 bytes): to='localhost'> sc:sm='621b457a7181f454ca07bb4326e73e67096ed383' sc:c2s='10' > from='user1@localhost/testclient' type='subscribed' > to='gloox@localhost'/> I'm pretty sure the router routed it from 'c2s' to 'localhost' as requested. Take a look at sm debug log of 'localhost' to see what happened with that stanza there. According to RFC6121 3.1.5. server should: Replace from='user1@localhost/testclient' with from='user1@localhost'; Then push roster item to all user1 (interested) resources; And finally send presence to gloox. -- /o__ "I always avoid prophesying beforehand because it is much better (_<^' to prophesy after the event has already taken place. " - Winston
Re: jabberd-2.3.6 release
W dniu 29.02.2016, pon o godzinie 13∶14 +0300, użytkownik ungifte...@gmail.com napisał: > > Next jabberd2 release is available. > > Have to emerge autoconf-archive for new coloring feature Do you build from bare GitHub source? This macro should get included to the release archive which do not require any autotools packages installed for building. -- /o__ Q: How many Martians does it take to screw in a light bulb? (_<^' A: One and a half.
jabberd-2.3.6 release
Next jabberd2 release is available. Get 2.3.6 release at GitHub: https://github.com/jabberd2/jabberd2/releases This is a major bugfix release. The main change is that WebSocket connections are now fully working and stable. Also if you are using MUC, you want to upgrade as 2.3.5 direct presence bug prevented users from entering MUC rooms. Make sure to read the NEWS before upgrade: https://github.com/jabberd2/jabberd2/blob/jabberd-2.3.6/NEWS Changes: * Support WebSocket fragmented packets * Fixed delivering directed presence (to self) * Reset in-sess 'from' to FullJID on non-Presence packets https://github.com/jabberd2/jabberd2/commits/jabberd-2.3.6 -- /o__ (_<^' It's more than magnificent - it's mediocre. -Samuel Goldwyn signature.asc Description: This is a digitally signed message part
jabberd-2.3.5 release
Next jabberd2 release is available. Get 2.3.5 release at GitHub: https://github.com/jabberd2/jabberd2/releases This is a major bugfix release with a bit of new features. It fixes recently discovered issue wit secure generation of dialback keys. The user verification via email module should help with spam bots registrations. Make sure to read the NEWS before upgrade: https://github.com/jabberd2/jabberd2/blob/jabberd-2.3.5/NEWS Changes: * Module to verify users using e-mail * Reordered MIO backends priority * Skip non-existing blowfish i386 assembler code * Use CSPRNG for dialback keys * Allow presence probing own connections * Use OpenSSL functions for base64 en/decoding when available * Option to dump packet-filter matched packets to file For a full change log see: https://github.com/jabberd2/jabberd2/commits/jabberd-2.3.5 -- /o__ (_<^' It's ten o'clock; do you know where your processes are? signature.asc Description: This is a digitally signed message part
Re: missing presence packet
W dniu 04.12.2015, pią o godzinie 15∶05 -0500, użytkownik Stepan Salenikovich napisał: > So I'm looking for suggestions as to how this could be debuged... or > any tips as to where to look. Turn on debug logs -D on both c2s and sm and analyse what happens when A logs back on. -- /o__ (_<^' I'm a soldier, not a diplomat. I can only tell the truth. signature.asc Description: This is a digitally signed message part
Re: Configuration of SSL?
W dniu 20.11.2015, pią o godzinie 15∶25 +0100, użytkownik Matěj Cepl napisał: > On 2015-11-19, 22:58 GMT, Tomasz Sterna wrote: > > I have builds for recent Fedora versions on OBS [1], but > > I prefer to help with maintaining true Fedora/EPEL packages. Understandable. Could you please add "--enable-mio" as in [1], because as it is now, Fedora builds jabberd2 with select() backend, which gets laggy with thousands of connections. [1] https://build.opensuse.org/package/rdiff/home:smoku:jabberd/jabberd?linkrev=base=11 P.S. These are official Fedora SRPMs, updated to latest source only. I do not have a luxury to wait for Fedora to catch up after a release, or a bugfix, so I need to build my own packages. -- /o__ (_<^' We're overpaying him, but he's worth it. -Samuel Goldwyn signature.asc Description: This is a digitally signed message part
Re: Configuration of SSL?
W dniu 19.11.2015, czw o godzinie 20∶42 +0100, użytkownik Matěj Cepl napisał: > OK, then I doomed. :) Don't worry, I can live with a C mark > pretty well. I have builds for recent Fedora versions on OBS [1], but RHEL/Centos are missing on crucial dependencies, so I cannot build for these. [1] https://build.opensuse.org/project/repositories/home:smoku:jabberd -- /o__ "You're very sure of your facts, " he said at last, "I (_<^' couldn't trust the thinking of a man who takes the Universe signature.asc Description: This is a digitally signed message part
Re: Configuration of SSL?
W dniu 18.11.2015, śro o godzinie 11∶30 +0100, użytkownik Matěj Cepl napisał: > So, I would like to switch off RC4 which is really an obsolete > nosense. With Apache I can do it in its configuration, is it > possible to do it somehow for jabberd2? in c2s.xml in section set: ceplovi.cz to get A score. -- /o__ (_<^' Your education begins where what is called your education is over. signature.asc Description: This is a digitally signed message part
Re: XMPP SPAM
Dnia 2015-11-09, pon o godzinie 21:18 +0100, Simon Josefsson pisze: > how people handle this? My solution is: # firewall-cmd --permanent --add-rich-rule="rule family=ipv4 source address=193.105.240.126 reject" -- /o__ Is truth not truth for all? (_<^' the Sky", stardate 5476.4. signature.asc Description: This is a digitally signed message part
Re: jabberd-2.3.4 release
Dnia 2015-10-30, pią o godzinie 15:45 +0300, ungifte...@gmail.com pisze: > 30.10.2015 12:17, Tomasz Sterna пишет: > > With this release jabberd2 joins HTTP realm with WebSocket client > > It need http-parser for websockets, but configure doesn't check it. It does check it, when you do: ./configure --enable-websocket The bug that http_parser.h gets included even when websocket is not enabled is already fixed: https://github.com/jabberd2/jabberd2/commit/b861b9c72adc732cbdfbac4eb8a4205126227f6b P.S. It's better to report bugs via GitHub, than the ML. https://github.com/jabberd2/jabberd2/issues/new -- /o__ (_<^' Whom the gods wish to destroy they first call promising.
Re: Message injection
Dnia 2015-09-01, wto o godzinie 09:23 -0600, Kyle Waters pisze: > I'm able to insert a message into the queue table and have it pop up > for a user the next time they log in. Is there a way to submit a > message and have it show up immediately for a logged in user with out > going through client authentication jabberd2 was never designed to allow messing with storage directly. storage module is opaque and you should not touch it bypassing the daemon. It's not that hard to connect the daemon over a client or component connection to inject a message. [1] [1] http://stackoverflow.com/questions/170503/commandline-jabber-client -- /o__ Talking about a piece of movie dialogue: Let's have some new (_<^' cliches. -Samuel Goldwyn
Re: testing jabberd2 TLS with openssl s_client
Dnia 2015-05-08, pią o godzinie 22:47 +0200, Guenther Kuenzel pisze: what i expect is a dump of the certificate chain, like it is with all other protocols which are supported by openssl s_client. any ideas? Misconfigured server? With my server it works just fine... 23:34 ~ $ openssl s_client -CApath /etc/ssl/certs -starttls xmpp -connect chrome.pl:5222 CONNECTED(0003) depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN = StartCom Class 1 Primary Intermediate Server CA [...] i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority [... and so on ...] -- /o__ Q: How do you stop an elephant from charging? (_^' A: Take away his credit cards. signature.asc Description: This is a digitally signed message part
jabberd-2.3.3 release
Next jabberd2 release is available. Get 2.3.3 release at GitHub: https://github.com/jabberd2/jabberd2/releases This is a bugfix release with a bit of new features added. Changes: - Support for RSA/DH/ECDH key agreement - bcrypt support for MySQL storage - C2S per session user data authreg auth API extensions for custom authreg backends - Option to provide a custom the openssl library path For a full change log see: https://github.com/jabberd2/jabberd2/commits/jabberd-2.3.3 -- /o__ Q: How many IBM CPU's does it take to do a logical right shift? (_^' A: 33. 1 to hold the bits and 32 to push the register.
Re: STARTTLS connection on jabberd2
Dnia 2015-02-26, czw o godzinie 12:00 +0100, Matěj Cepl pisze: https://bugzilla.redhat.com/show_bug.cgi?id=1179229. What do you think about my comment 3 and the attached patch? I have no idea. My knowledge of TLS is close to vague. -- /o__ Q: What do monsters eat? (_^' A: Things.
Re: XEP-0138 uncontrolled resource consumption ???
Dnia 2015-02-26, czw o godzinie 01:38 +0100, Matěj Cepl pisze: could anybody confirm that http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/ As you can see at https://github.com/jabberd2/jabberd2/blob/f6225f9cc5af93835285a0a788479978d271ee38/sx/io.c#L64 stanza_size_limit is enforced on unencrypted/uncompressed bare stanza data. So if the lower layer (sx compress plugin) feeds too much data, the connection is torn down. -- /o__ Q: How do you stop an elephant from charging? (_^' A: Take away his credit cards.
Re: STARTTLS connection on jabberd2
Dnia 2015-02-26, czw o godzinie 01:09 +0100, Matěj Cepl pisze: pemfile=/etc/pki/tls/certs/luther.ceplovi.cz-intermediate.crt .crt suggests that this is certificate only. You need a .pem with full chain of all certificates from the CA, to your certificate (if not present in global ca-certificates) and a private key, concatenated together in one file. -- /o__ Talking about a piece of movie dialogue: Let's have some new (_^' cliches. -Samuel Goldwyn
Re: Some users cannot connect after upgrade from 2.2.17 to 2.3.2
Dnia 2014-12-21, nie o godzinie 20:44 +0100, Eric Koldeweij pisze:
Sun Dec 21 14:00:38 2014 c2s.c:439 pre-session packet, bye
Sun Dec 21 14:00:38 2014 [notice] [20] packet sent before session
start, closing stream
IIRC this is a buggy behavior of libpurple based clients (ie. Pidgin),
which start the session, but do not wait for session establishment and
send more packets immediately after.
--
Tomasz Sterna :(){ :|:};:
Instant Messaging Consultant Open Source Developer
http://abadcafe.pl/ http://xiaoka.com/portfolio
signature.asc
Description: This is a digitally signed message part
Re: BOSH - XMPPoWS
Dnia 2014-09-12, pią o godzinie 09:29 +0200, Marek Červenka pisze: Does jabberd2 accept '=' in final digest-md5 response? IIRC there was a bug reported for this, and it was already fixed long time ago... solved it was not on the jabberd2 side Glad to hear that. :-)
Re: jabberd2 web presence
Dnia 2014-09-04, czw o godzinie 16:14 +0200, Marek Červenka pisze:
added to
https://github.com/jabberd2/jabberd2/wiki/WebPresence (addons)
Thanks.
I added a note about webstatus resource.
--
Tomasz Sterna :(){ :|:};:
Instant Messaging Consultant Open Source Developer
http://abadcafe.pl/ http://xiaoka.com/portfolio
signature.asc
Description: This is a digitally signed message part
Re: xhash and it's key
Dnia 2014-08-28, czw o godzinie 17:51 +, Shawn Debnath pisze: The problem is that it breaks scenarios where the user may use a temp buffer to build the key, then insert or put it in the xhash and then free the buffer memory. This is invalid use of xhash. Assumption here is that xhash code would allocate necessary buffer to store internal data and not rely on user supplied memory to maintain it=A9=F6s internal data structures. There is no such assumption. It's a gotcha waiting for every new jabberd2 dev. ;-) Any ideas if there was a particular reason this was designed this way? I imagine, in most of the cases the key is inside the object being stored so it works out. This is for efficiency reasons. Strings in jabberd are usually coming from incoming NADs (notice xhash_putx() taking the len of the key) or being allocated in memory pools associated with objects. It would be a waste of memory and CPU to make a copy each time an object gets stored in hash or removed from hash. Also, when these strings are part of the object they identify, memory management is as easy as freeing the object and it's associated memory pool (assuming it was already removed from all its references including xhashes). However, as you can see, the xhash implementation can¹t be fully exploited/used. The fact you are allocating object identifier strings on stack/heap is a sign of bad design. Could you rethink your design to include the identifier as a part of the object it names?
Re: jabberd2 web presence
Dnia 2014-08-28, czw o godzinie 21:24 +0200, Marek Červenka pisze: can you recommend plugin for web presence for jabberd2? something like http://www.jabbim.com/services-status-icon.html No need for a plugin. Built-in mod_status stores user presence in 'status' table. You just need to build a web frontend for this table.
Re: c2s per session user data authreg auth API extension
Dnia 2014-08-14, czw o godzinie 04:27 +, Shawn Debnath pisze: - Build a hash table of relevant data and store it in the authreg_t private data member. Agreed, that needed internal bookkeeping makes it not feasible. - Retrofit existing interfaces with the necessary data. a. Introduce void *sess_private in sess_t. It's not really sess_private, but authreg_private, right? int (*create_challenge)(authreg_t ar, sess_private *data, const char *username, const char *realm, const char *challenge, int maxlen); int (*check_response)(authreg_t ar, sess_private *data, const char *username, const char *realm, const char *resource, const char *challenge, const char *response); Pros: Maintain same methods but new parameters, faster approach. Cons: (BIG)breaks everyone out there. In some cases, other 3rd parties may want similar mechanism for plain text login as well and this approach wouldn't work for them. Agreed. I think we should extend all authreg calls with a pointer to session attached, authreg private data. In the simplest case it could be even set to point to sess_st, for the mechanizm to dig in session by itself. This is how it is done all around jabberd2. Also good point, that create_challenge misses realm parameter. If we go for it, we will just release 2.4.x line which hints API breakage. ;-) /* Extension for custom authentication providers */ int (*custom_auth_get)(authreg_t ar, authdata_t data); int (*custom_auth_set)(authreg_t ar, authdata_t data); I don't like this approach for two reasons. - custom_auth does not really mean anything. as it is now it is clean - either we have password verification, or challenge/response. - custom_auth is used in ar_mechs AR_MECH_TRAD_CRAMMD5, so it is not really custom, but CRAM-MD5, right? Let's just implement CRAM-MD5 properly, with all needed features, even if it means API changes. We're open source - we are not afraid to change things. :-) -- smk
Re: c2s per session user data authreg auth API extension
Dnia 2014-08-14, czw o godzinie 16:20 +, Shawn Debnath pisze:
I would change all the APIs and to pass in a pointer to the sess_t as
I also need it in check_passsword.
I would advise to include sess_t* in authreg_private then.
It's OK for authreg to dig around session data, but the API should be
flexible enough to give option to pass anything as authreg_private, not
only sess_t*.
--
Tomasz Sterna :(){ :|:};:
Instant Messaging Consultant Open Source Developer
http://abadcafe.pl/ http://xiaoka.com/portfolio
signature.asc
Description: This is a digitally signed message part
Re: c2s per session user data authreg auth API extension
Dnia 2014-08-14, czw o godzinie 23:45 +, Shawn Debnath pisze:
I have modified the
APIs to pass sess_t and then the implementation can choose to pack it
in their private authreg_private data if they so choose.
WFM :-)
--
Tomasz Sterna :(){ :|:};:
Instant Messaging Consultant Open Source Developer
http://abadcafe.pl/ http://xiaoka.com/portfolio
signature.asc
Description: This is a digitally signed message part
Re: Clustering support
Dnia 2014-08-04, pon o godzinie 17:44 +0530, Kumar Deepak pisze: Are you suggesting, I shall run single instance of Router and run multiple instance of other components (SM, S2S C2S). Yes. In this case, router will be under load and will become critical ? How do we load balance router ? We don't. In currently released jabberd2 router cannot be duplicated. Support for router mesh is in the works though. https://github.com/jabberd2/jabberd2/tree/mesh -- Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/
Re: re: Hello guys, iencounteraproblem,call for help
Dnia 2014-07-07, pon o godzinie 12:41 +0800, 304747446 pisze: the output of ./configure is in the configure.txt How about ./configure --enable-sqlite Please attach generated config.log instead manually copying output. -- Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/
Re: 回复: 回复: 回复: 回复: Hello guys, i encounteraproblem,call for help
Dnia 2014-07-01, wto o godzinie 15:10 +0800, 304747446 pisze: hello, today i checked the Makefile under the storage directory carefully and i find that there is no compile instruction for the storage_sqlite.c, i think this is the cause that no storage_sqlite.so is built. Please do: ./configure --enable-sqlite make clean make make install Dissecting autotools build like this is not recommended. -- Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/
Re: 回复: 回复: 回复: Hello guys, i encountera problem,call for help
Dnia 2014-06-25, śro o godzinie 16:06 +0800, 304747446 pisze: then go to the storage directory and rebuild, but there is also no libstorage_sqlite.so file to be generated... a) it's storage_sqlite.so not libstorage_sqlite.so b) modules are built in a hidden subdirectory storage/.libs -- Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/
Re: Roster module with custom MySQL requests
Dnia 2014-04-01, wto o godzinie 15:56 +0200, Sylvain Guglielmi pisze: Is it safe/better/not a good idea to deactivate the active plugin from every chain (user_load; user_create; user_delete) ? It's main function is to drop messages to unexisting users instead of storing them in offline messages store. If you remove it, you are potentially vulnerable to DoS attack filling your offline storage database with messages for bogus users. -- Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/
Re: create publish node with idavoll + jabberd2?
Dnia 2014-02-24, pon o godzinie 17:03 +0800, li wang pisze: Thanks greatly, do you mean I should use: pubsub.testdomain.com as the domain name? does I have to configure my nameserver to direct it? You can use whatever name you want as long as it stays inside your server. You have to make it resolvable to your s2s address if you want it to be reachable from other servers. -- Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/
Re: systemd unit files
Dnia 2014-02-14, pią o godzinie 14:23 +0100, Adrian Reber pisze:
I have a simple patch which includes the systemd unit files from the
fedora package into jabberd2 at:
Thanks.
Merged in 49d48df0f6b6b1d35cf96930644f03b6db66e0d4
--
Tomasz Sterna:(){ :|:};:
Instant Messaging ConsultantOpen Source Developer
http://abadcafe.pl/ http://www.xiaoka.com/portfolio
Re: Ldapvcard + roster
Dnia 2014-02-13, czw o godzinie 17:14 +0100, Oriol Mula-Valls pisze: Which solutions is better from your point of view? My knowledge of the xmpp standard is little. I can try to make the patches and test them on our infrastructure. This does not really have anything to do with XMPP standard. For XMPP user authentication is opaque and abstracted to SASL. It's a job of SASL backend (in this case based on LDAP) to verify user credentials, and once SASL says you are a JID you are pretending to be, you are in. Having said that, I will mention that I have not much experience with LDAP and the one I have is rusty. Thus I still have your proposed patch pending review, as on a first brief look through, I couldn't decide it's validity. Please do work on LDAP backend in whatever way pleases you. If you keep backward compatibility, I will gladly accept patches adding new functionality. (Preferably via GitHub pull request.) Also please do discuss your concerns on this mailing list, as others may have viable experience; but addressing these to me personally may discourage others joining in to the discussion. ;-) P.S. I need to mention, that I would be rapturous if someone would finally merge both LDAP backends to one. -- Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/
Re: Roster publish
Dnia 2014-02-10, pon o godzinie 18:00 +0100, Oriol Mula-Valls pisze: After setting it to 0 I expect the user to disappear from the clients. I have tried to relogin to the jabberd2 server but even after that the contact still appears. Did you enable force-create-contacts/? If so, it will add contacts to user normal roster and they will need manual deletion. Also if user edits the contacts details, it will be stored in normal roster. -- Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/
Re: s2s throws coredump with new version of udns-0.3
Dnia 2014-01-20, pon o godzinie 12:02 +0100, Marcin Mirosław pisze: warning: Could not load shared library symbols for linux-vdso.so.1. Do you need set solib-search-path or set sysroot? This suggests problems with your local library installation. Check 'ldd' on libudns.so, i.e.: $ ldd /usr/lib64/libudns.so.0 linux-vdso.so.1 = (0x7fffcf8b6000) libc.so.6 = /lib64/libc.so.6 (0x7f59ae59b000) /lib64/ld-linux-x86-64.so.2 (0x003cde60)
Re: How to configure cipher suites and protocols
Dnia 2014-01-13, pon o godzinie 13:29 +0100, MacLemon pisze: I want to disable SSLv3 in favour of TLSv1 only. (Apple jabberd2 is linked against a pre-historic OpenSSL 0.9.8 so it doesn't support TLS 1.2.) I also want to get rid of weak ciphers and try to enable forward secrecy handshake namely DHE. It's not possible in 2.2. You need at least 2.3.0 for this.
Re: Roster module with custom MySQL requests
Dnia 2014-01-10, pią o godzinie 13:54 +0100, Sylvain Guglielmi pisze: My question : Should I add a timetick chain to the SM (called every second for example), and add my module to this chain (with a rate_t check) ? I'm not thrilled by this solution, because for now, I haven't changed any code from jabberd2 except from the new module, which make it easier to test or get in production. Is there another, better way ? You could have a separate cron component pinging 'sm' in regular intervals with special route packet, and handle this special packet in 'in-router' chain of your module. Having that it could even be done not in regular intervals, but on-demand, when your component gets triggered by web frontend.
Re: push notification system (pns)
Dnia 2014-01-09, czw o godzinie 09:07 +0530, Kumar Deepak pisze: I was thinking to integrate push notification system to inform about incoming messages for xmpp clients. Clearly, the case comes when clients become unavailable on mobile client. I don't quite clearly understand what you need. IIRC you would like a method to notify a disconnected client, that there are pending offline messages waiting and it needs to connect to get these; am I right? -- Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/
Re: push notification system (pns)
Dnia 2014-01-09, czw o godzinie 22:00 +0530, Kumar Deepak pisze: 1. User A is running xmpp client at his iPHONE 2. User B is running xmpp client at his desktop 3. User B sends message to A, but A's xmpp client is either not running or running in background. At pt.1 you stated that A's xmpp client is running, so this condition contradicts pt.1 4. Server stores the message for later delivery. This would happen if A's client is not connected. So I guess that 'running' does not necessary mean 'connected'. 5. Server informs A by sending a message using apple push notification infrastructure. 6. User A accepts the push and A's xmpp client connects to server and server delivery the message to A. Ok. 'Running' definitely does not mean 'connected'. Your goal would be best accomplished by hooking to offline storage module, or using completely custom offline storage module, that sends notification every time it stores a message offline for later delivery.
Re: Roster module with custom MySQL requests
Dnia 2014-01-08, śro o godzinie 03:02 +0100, Sylvain Gugli Guglielmi
pisze:
I can have something like UPDATE `roster-items` SET
`object-sequence`=`object-sequence`+1 but his break uniqueness in the
table.
I come from PostgreSQL, so explicitly handled sequences is natural to
me:
UPDATE roster-items SET object-sequence = nextval('object-sequence')
I haven't found any easy ways to do something similar with
LAST_INSERT_ID() or AUTO_INCREMENT in MySQL, hence my question.
StackOverflow [1] suggests a convoluted solution:
SELECT Auto_increment FROM information_schema.tables WHERE
table_name='the_table_you_want';
Not pretty.
I think you should be fine with manual increment or
MAX(`object-sequence`)+1
Just to check : you're talking about the pools in pool.h.
Yes.
Maybe at one point it'll be better to use pools for roster items too (item,
item-name,
item-groups and its content). I've not yet profiled anything, but this
may be a way to improve speed when loading user data for packet delivery
(without having to code 2 load-user events).
I will gladly accept code submission if you decide to do it. :-)
[1]
http://stackoverflow.com/questions/12271235/mysql-query-next-sequence-number-for-mysql-auto-incremented-field
--
Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/
Re: jabberd2 and mandatory TLS
Dnia 2014-01-07, wto o godzinie 02:13 +0100, Marco Cirillo pisze:
Metronome closes the stream with an unsupported-version stream error
the fact jabberd2 attempts to re-establish a stream is simply wrong.
This is a bug for sure.
There is a mechanism to mark dead servers, that should be triggered by
this error.
I created a bug: https://github.com/jabberd2/jabberd2/issues/51
Note: jabberd2 doesn't append neither to and from or a version
attribute on the stream header, which I suppose is the pre-1.0
behaviour / old rfc behaviour.
Yes. jabberd2 is pretty aged software.
--
Tomasz Sterna:(){ :|:};:
Instant Messaging ConsultantOpen Source Developer
http://abadcafe.pl/ http://www.xiaoka.com/portfolio
Re: Roster module with custom MySQL requests
Dnia 2014-01-07, wto o godzinie 02:14 +0100, Sylvain Gugli Guglielmi
pisze:
As I understand it, the
object-sequence don't need to be an UNIQUE field. Am I right on
that ?
object-sequence is used mainly for sorting - to keep stanza ordering,
etc.
There is no enforcement on uniqueness, but in cases when you do care on
ordering, these should be unique.
In roster table you should be fine with just incrementing ver.
BTW, you could just write your UPDATE queries setting ver with next
sequence number for the table. It will save you incrementing in code and
keep it in line with how the original module does things.
Well, I have broken that clean separation early on. For example I
needed [...]
Sure. In case of code tied to concrete SQL it's understandable.
I was expressing my concern on changing the generic roster module which
may store data in many formats.
Also, with many more requests, I fear the jabberd2 load will be more
important when I switch our prod to this plugin, and the load is
already noticeable (15% daily peak of our server)...
My bet is that loading user data for packet delivery causes that.
There is an old item on Rob's TODO list, to have two load-user events -
one when user logs in, and other used for delivery, which loads only
necessary user data. But it is still TODO ;-)
in my experience mallocs and frees can be long, so I try to minimize
these calls as a rule. I assumed the same goes for MySQL requests).
One of the reasons we have memory pools in jabberd2.
--
Tomasz Sterna:(){ :|:};:
Instant Messaging ConsultantOpen Source Developer
http://abadcafe.pl/ http://www.xiaoka.com/portfolio
Re: jabberd2 and mandatory TLS
Dnia 2014-01-06, pon o godzinie 14:14 -0700, Peter Saint-Andre pisze:
And beside this had some not so nice encounters with very buggy
jabberd2 servers which started to loop attempting to re-establish a
connection (very fast beside) when the server closed down their
streams.
How do you close the stream in that case?
If the connection is just being dropped, with unknown reason, it seems
reasonable to reestablish it immediately if there are still packets to
be send to this server.
Users wants their messages to be sent ASAP. It's _instant_ messaging
after all. ;-)
--
Tomasz Sterna:(){ :|:};:
Instant Messaging ConsultantOpen Source Developer
http://abadcafe.pl/ http://www.xiaoka.com/portfolio
Re: Cannot connect with android clients xabber or yaxim to jabberd2
Dnia 2014-01-06, pon o godzinie 22:06 +0100, Fabian Wenk pisze:
@Tomasz, could this be a bug or change from in jabberd 2.2.17
to 2.3.1?
In 2.3.0 GnuSASL =1.1 dependency was introduced. So could there be an
incompatibility between your client and new GnuSASL?
Also since 2.3.0 CyrusSASL backend is broken. Although it is disabled by
default, there are still people using it. Are you using CyrusSASL
backend?
In 2.3.1 --enable-superseded and --enable-experimental defaults were
changed. So if you rely on superseeded and/or experimental features, you
need to enable them explicitly.
--
Tomasz Sterna:(){ :|:};:
Instant Messaging ConsultantOpen Source Developer
http://abadcafe.pl/ http://www.xiaoka.com/portfolio
Re: Roster module with custom MySQL requests
Dnia 2014-01-06, pon o godzinie 18:07 +0100, Sylvain Guglielmi pisze:
Hello everyone,
To use jabberd2 with my pre-existing contacts database, I started
writing a roster module with customisable MySQL requests (I mailed this
list a while back about it, but I just started actual work). It uses
prepared statements, and config file looks like :
This is really interesting. :-D
It could really accelerate XMPP as the next social media protocol. :-)
Could you consider using libdbi instead of hardwiring to MySQL?
This would make your implementation more reusable.
- In order to make simpler custom databases, I wanted to remove the
pkt-type == pkt_S10N_UN / item-ask == 2 mechanism. According to a
comment there is no ask='unsubscribe' in RFC bis anymore . Would
anyone advise against it ?
How would that make schema simpler?
You still need to store ask='subscribe', don't you?
- something that seems weird to me : I was expecting item-ver to be
incremented each time the item is updated (for example in
_roster_save_item),
but couldn't find such code. It there something I don't grasp ?
Ahhh... Yes... There's a little trick I used there. ;-)
ver is coming from auto-incrementing field object-sequence.
As storage never issues UPDATE but always DELETE first then INSERT,
every updated roster item automagically gets new ver value.
[...] I thought it would be good to do the same
thing in the regular roster, but I couldn't find a way to remove a
specific os_object_t. Is there a way to do that ?
storage_delete() with proper filter.
Anyway here's what the code could look like, with TODOs :
The clean separation between stanza parsing to roster-item and
roster-group structures which are then stored to DB, and in reverse
makes the code more comprehensible.
I doubt that trading readability for efficiency is worthy in case of
today's microprocessor speeds and RAM availability.
Also, does your use-case covers users in many-many groups?
My experience shows that most users are in 0 groups, some in 1 group and
very few in 2+ groups. There's not many INSERTs to gain there.
Remember: Premature optimization is the root of all evil.
I would rather suggest adding 'dirty' flag, risen whenever group
membership actually changes. This would keep the separation still,
allowing for bulk drops of unneeded DELETE/INSERTs.
--
Tomasz Sterna:(){ :|:};:
Instant Messaging ConsultantOpen Source Developer
http://abadcafe.pl/ http://www.xiaoka.com/portfolio
Re: jabberd2 and mandatory TLS
Dnia 2014-01-06, pon o godzinie 16:43 -0700, Peter Saint-Andre pisze:
I don't have details on what Marco reported. We might want to do more
testing. Is there a good deployed jabberd2 instance we can test
against?
My server 'chrome.pl' is always running most recent version of jabberd2.
(Sometimes even unreleased one ;-)
--
Tomasz Sterna:(){ :|:};:
Instant Messaging ConsultantOpen Source Developer
http://abadcafe.pl/ http://www.xiaoka.com/portfolio
signature.asc
Description: This is a digitally signed message part
Re: s2s: timed out dns lookups
Dnia 2013-12-28, sob o godzinie 09:10 +0100, Eric Koldeweij pisze:
My suspicion is that there is a problem with a name server you are
using. if you look at the file /etc/resolv.conf you will see one or
more lines saying nameserver ip_addr. The resolver will ask each
name server in turn to resolve the host name for it,
I second that. This is what immediately came to my mind as a probable
answer to your issue.
dig command works independently of stub resolver in your system and is
more of a DNS servers test tool, not your system setup test tool.
Take a look at each of your 'nameserver' line in /etc/resolv.conf and
check each server first pinging it, then asking directly:
host -t SRV _xmpp-server._tcp.jabber.org. dns.server.ip.123
BTW: for best performance it's recommended to run a caching full
resolver on the same machine as your server and configure
nameserver 127.0.0.1 line in /etc/resolv.conf
--
Tomasz Sterna:(){ :|:};:
Instant Messaging ConsultantOpen Source Developer
http://abadcafe.pl/ http://www.xiaoka.com/portfolio
Re: sm bug: mysql: sql insert failed: Out of range value for column 'ask' at row 1
Dnia 2013-12-07, sob o godzinie 17:00 -0700, Justin T Pryzby pisze: Sat Dec 7 16:54:36 2013 storage_mysql.c:239 prepared sql: INSERT INTO `roster-items` ( `collection-owner`, `ask`, `from`, `to`, `name`, `jid` ) VALUES ( 'x...@norchemlab.com', '139899969732608', '1', '1', 'R', 'y...@norchemlab.com' ) Sat Dec 7 16:19:09 2013 [error] mysql: sql insert failed: Out of range value for column 'ask' at row 1 Looks very similar to https://github.com/jabberd2/jabberd2/issues/48
jabberd-2.3.1 release
Next jabberd2 release is available. Get 2.3.1 release at GitHub: https://github.com/jabberd2/jabberd2/releases This release deals with TLS Everywhere problems introduced in 2.3.0. This feature was moved under EXPERIMENTAL umbrella. If you want to enable it, you now need to ./configure --enable-experimental Changes: * Marked TLS-Everywhere as EXPERIMENTAL feature * default EXPERIMENTAL to 'no' * default SUPERSEDED to 'no' * moved STANZA-ACK and MY-IP-ADDRESS XEPs and IQ-PRIVATE push out of experimental status For a full change log see: https://github.com/jabberd2/jabberd2/commits/jabberd-2.3.1 -- Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/
Re: jabberd-2.3.0 release
Dnia 2013-11-26, wto o godzinie 07:40 +0100, Christof Meerwald pisze: I tried upgrading from 2.2.17 to 2.3.0 yesterday, but that left me with a broken server. The s2s component now just connects to a remote server, switches the stream to TLS, gets the certificate, disconnects and immediately connects again. I guess the network is not that ready for 'TLS Everywhere' [1] yet. Maybe it is worth releasing 2.2.18 without that change. [1] https://github.com/jabberd2/jabberd2/commit/ad9ead7816 -- Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/
Re: XMPP connections
Dnia 2013-11-26, wto o godzinie 01:41 -0900, Haider Ali pisze: Since we know that we can only open 2 ^ 16 = 65536 ports ( connections ) with a single machine. That's a common myth. Google is your friend: http://www.quora.com/TCP-IP/What-is-the-maximum-number-of-simultaneous-TCP-connections-achieved-to-one-IP-address-and-port The TCP/IP standard sets up unique connection identifiers as the tuple of local IP Address, local TCP port number, remote IP address, and remote TCP port number. In your example, the local numbers are both fixed, which leaves approximately 2^32 remote IP (version 4) addresses, and 2^16 TCP port numbers, or an approximate total potential simultaneous TCP connections of 281,474,976,710,656 (2^48, or 2.81 * 10^14, or 281 trillion).
jabberd-2.3.0 release
Next jabberd2 release is finally available. Get 2.3.0 release at GitHub: https://github.com/jabberd2/jabberd2/releases This release packs many new features and load of bugfixes. Also introducing Semantic Versioning scheme and TLS Everywhere recommendation. Many, many thanks to all contributors. :-) Changes: * Renamed non-standard UPGRADE file overwriting outdated NEWS file * Semantic Versioning: http://semver.org/ * TLS Everywhere: https://github.com/stpeter/manifesto * Required GSASL =1.1 * jabberd should compile without warnings * out-of-source builds should work * pgsql: authreg password_type support * pgsql: schema support * ldapvcard: groupattr works even if no groupattr_regex defined * ldapfull: checks for ldap group membership on login * vCard: Assume tel phone is voice phone * MySQL: default password hashing algorithm changed to SHA512 * out-conn-reuse s2s.xml option naming unified * XML parse error will log buffer details * CRAM-MD5 auth support * router private key cachain and password support * hashed passwords support in SQLite3 storage For a full change log see: https://github.com/jabberd2/jabberd2/commits/jabberd-2.3.0 -- Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/
Re: jabberd2 encryption HOWTO
Dnia 2013-11-04, pon o godzinie 14:41 -0800, Peter Saint-Andre pisze: Would someone in the jabberd2 community consider writing a brief howto about configuring jabberd2 so that it allows only encypted connections? Our separate documentation tends to rot, so the only authoritative (and actively maintained) source is the comments in the configuration files themselves. :-) https://github.com/jabberd2/jabberd2/blob/master/etc/s2s.xml.dist.in#L300 -- Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/
Re: [PATCH] Implement hashed passwords for SQLite3 storage
Dnia 2013-10-31, czw o godzinie 16:44 -0200, Sergio Durigan Junior
pisze:
I'll set up a git repo and publish here, so if anyone is interested
it'll be possible to follow the development.
The easiest would be to make a GitHub fork to ba able to create
GitHub pull requests.
--
Tomasz Sterna:(){ :|:};:
Instant Messaging ConsultantOpen Source Developer
http://abadcafe.pl/ http://www.xiaoka.com/portfolio
Re: [PATCH] Implement hashed passwords for SQLite3 storage
Dnia 2013-10-30, śro o godzinie 16:36 -0200, Sergio Durigan Junior pisze: Wow, that was fast! Thanks a lot :-). Thank _you_. :-) Eventually, I intend to start working on the libdbi integration (see https://github.com/jabberd2/jabberd2/issues/28). Is anyone else working on this? Maybe we could join efforts :-). Noone that I know of. It should be fairly easy to do basing on one of the existing backends. -- Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/
Re: [PATCH] Implement hashed passwords for SQLite3 storage
Dnia 2013-10-30, śro o godzinie 03:37 -0200, Sergio Durigan Junior pisze: The patch is indeed a copy-and-paste of the code which adds this security in other backends. I also made a little cleanup in the check_password function of the SQLite3 backend (obvious). I tested the patch by creating several users and logging into the server with them afterwards. Everything succeeded. Thanks. :-) Merged: https://github.com/jabberd2/jabberd2/commit/3e207cfc08efdafe9a9e75dc580dd9c5bfe59554 -- Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/
Re: sm/router: XML parser error
Dnia 2013-10-30, śro o godzinie 10:28 -0700, Justin T Pryzby pisze: Thanks, I got a debug log by specifying a debug path in router.xml, but it doesn't say XML parser error; am I missing something from stderr that doesn't make it to the logfile? This is logged in the normal, not debug log. Check standard log to see when that happens and send me few screens of debug log before that happened. It should help me debug and fix your issue.
Re: no SASL backend available out of: gsasl
Dnia 2013-10-25, pią o godzinie 15:12 +0100, Niamh Holding pisze: EK What does config.log say about it? As the rooot message said- ./conftest: error while loading shared libraries: libgsasl.so.7: cannot open shared object file: No such file or directory How did the test compilation line looked like? i.e. $ grep 'checking for GnuSASL version' -A1 config.log configure:15860: checking for GnuSASL version = 0.2.27 configure:15879: gcc -o conftest -Wall -Wno-pointer-sign -g -g -O2 -funsigned-char conftest.c -lgsasl -ludns -lidn -lexpat -lresolv -lcrypt -ldl 5
Re: no SASL backend available out of: gsasl
Dnia 2013-10-25, pią o godzinie 16:39 +0100, Niamh Holding pisze: configure:15793: gcc -o conftest -g -O2 -funsigned-char -L/usr/local/lib -L/usr/lib conftest.c -lgsasl -ludns -lidn -lexpat -lresolv -lcrypt -ldl 5 ./conftest: error while loading shared libraries: libgsasl.so.7: cannot open shared object file: No such file or directory Is your dynamic linker configured to look for dynamic libraries in /usr/local/lib ? ( /etc/ld.so.conf ) -- Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/
Re: no SASL backend available out of: gsasl
Dnia 2013-10-25, pią o godzinie 18:55 +0100, Niamh Holding pisze:
cat /etc/ld.so.conf
include ld.so.conf.d/*.con
/usr/local/libf
But correcting it made no difference
After editing /etc/ld.so.conf you need to run ldconfig (as root) to
generate /etc/ld.so.cache
--
Tomasz Sterna:(){ :|:};:
Instant Messaging ConsultantOpen Source Developer
http://abadcafe.pl/ http://www.xiaoka.com/portfolio
Re: failed to initialize auth module 'db'
Dnia 2013-07-19, pią o godzinie 16:39 -0700, Lev Stesin pisze:
Also, where do I find a list of supported features and the extent of
XMPP supported provided by jabberd2?
https://github.com/jabberd2/jabberd2/blob/master/README.protocol
--
Tomasz Sterna:(){ :|:};:
Instant Messaging ConsultantOpen Source Developer
http://abadcafe.pl/ http://www.xiaoka.com/portfolio
Re: where can I get the add-on about XEP-0060, pubsub?
Dnia 2013-07-12, pią o godzinie 06:35 +0800, li wang pisze: It seems that the pubsub support is not included in the source of jabberd2. That's correct. So where can I get the pubsub support add-on for jabberd2? Just setup any other server with PubSub module and use its PubSub service.
Re: transports on jabberd2
Dnia 2013-07-08, pon o godzinie 11:42 +0200, giacut pisze: https://github.com/jabberd2/transports ) but these components works only with jabberd 1.x. These components use standard XEP-0114 Jabber Component Protocol thus work with jabberd2 just fine. so i'm wondering: is there a code example of external component that works with jabberd2 ? So, you want to write a native jabberd2 component? If you do not need any feature specific to jabberd2, you'd be better off using XEP-0114 protocol for your transport - this way it may be used with other server implementations than jabberd2.
Re: roster item
Dnia 2013-07-08, pon o godzinie 16:38 +0500, Haider Ali pisze: can anyone help me locating that portion of code where jabberd2 server is loading roster items list from database It is done in mod_roster in user-load chain: https://github.com/jabberd2/jabberd2/blob/master/sm/mod_roster.c#L749
Re: c2s segfaulting for unknown reasons
Dnia 2013-07-08, pon o godzinie 20:51 +0400, Maxim Lougovsky pisze:
#0 0x284f99c8 in free () from /lib/libc.so.7
#1 0x284ea0f3 in catopen () from /lib/libc.so.7
#2 0x284e9947 in strerror_r () from /lib/libc.so.7
#3 0x284e9ad4 in strerror () from /lib/libc.so.7
#4 0x08050503 in _c2s_client_sx_callback (s=0x292376c0,
e=event_READ,
data=0x2917ca00, arg=0x291f8c00) at c2s.c:92
c2s.c:92 is:
log_write(sess-c2s-log, LOG_NOTICE, [%d] [%s, port=%d] read error: %s
(%d), sess-fd-fd, sess-ip, sess-port, MIO_STRERROR(MIO_ERROR),
MIO_ERROR);
Looks like there is a crash in MIO_STRERROR.
Which MIO backend are you using?
--
Tomasz Sterna:(){ :|:};:
Instant Messaging ConsultantOpen Source Developer
http://abadcafe.pl/ http://www.xiaoka.com/portfolio
