Re: Cipher suites in Jabberd2, disabling RC4

[Adrian Reber]

On Wed, Oct 26, 2016 at 01:08:28PM -0400, Pete Fuller wrote:
> Greetings, I am attempting to remove support for the RC4 cipher in TLS
> connections to Jabber2d, per results of a recent security audit.  I
> have done this for our web servers and other encrypted services
> already.  I am not finding any information as to how to make this
> change in jabber2d.  I’m using jabberd version 2.4 from the EPEL repo
> on Centos7.  The only info I could find on the list was someone asking
> this question a few years ago and being told it was an experimental
> feature.
> http://www.mail-archive.com/jabberd2@lists.xiaoka.com/msg02359.html
> 
> . I’m hoping this feature has been included in the release and I am
> just having issues finding that information.  

Looking at c2s.xml.dist.in (and s2s.xml.dist.in) for 2.4 I see:




and

 ciphers
 List of available TLS ciphers. The format of the string is
 described in https://www.openssl.org/docs/apps/ciphers.html

Looks you can just list the needed ciphers in those two files.

Adrian


signature.asc
Description: PGP signature

Re: jabberd-2.4.0 release

[Adrian Reber]

On Fri, May 27, 2016 at 12:09:41AM -0700, li...@lazygranch.com wrote:
> On Fri, 27 May 2016 06:22:01 +0200
> Tomasz Sterna  wrote:
> 
> > W dniu 26.05.2016, czw o godzinie 19∶46 -0700, użytkownik
> > li...@lazygranch.com napisał:
> > > This is from my attempt to compile the tar.gz file after doing
> > > autoreconf -i
> > > ./configure
> > > 
> > > I get
> > > ./configure: 12735: Syntax error: word unexpected (expecting ")")
> > 
> > 
> > Do not use the source labeled "Source code (tar.gz)" - this is plain
> > git source dump, not ready for direct consumption.
> > 
> > Use the source labeled jabberd-2.4.0.tar.xz or jabberd-2.4.0.tar.gz
> > (the ones with .asc signatures). These are prepared, with ./configure
> > script etc. generated.
> > 
> > 
> > 
> > P.S. or install autoconf-archive package
> > 
> 
> Actually I had downloaded  jabberd-2.4.0.tar.gz. However I downloaded
> the xz file. I also installed autoconf-archive, though I don't know how
> I'm supposed to use it.
> 
> Doing some internet search, it is suggested the procedure should be:
> aclocal
> automake --add-missing
> autoconf
> ./configure
> 
> I get this error message:
> --
> checking for XML_ParserCreate in -lexpat... no
> configure: error: Expat not found
> --
> I have expat, so it is a matter of configure not finding it.

As a reference: The Fedora package was also built from jabberd-2.4.0.tar.gz
without any problems.

https://kojipkgs.fedoraproject.org//packages/jabberd/2.4.0/1.fc25/data/logs/x86_64/build.log

Adrian


signature.asc
Description: PGP signature

Re: Questions...

[Adrian Reber]

On Thu, Apr 14, 2016 at 04:19:06PM +0200, Matěj Cepl wrote:
> On 2016-04-14, 10:26 GMT, Adrian Reber wrote:
> > In the configuration I am running jabberd2 on Fedora I did not  
> > have many (maybe any) upgrading the last few versions. EPEL-7 
> > would be an upgrade from 2.3.2 to 2.3.6. It probably depends 
> > on the installation and which backends are used if the 
> > upgrade. Looking at 
> >
> >  https://github.com/jabberd2/jabberd2/blob/master/NEWS
> >
> > it seems upgrading from 2.3.4 to 2.3.5 can require database  
> > changes. Not sure how to handle this. But we can try. 
> 
> # mod_verify requires CREATE TABLE "verify" in DB. Make sure 
> # you created it before enabling the module in sm.xml.
> 
> However, the mod_verify is new in 2.3.5, so we don't have to 
> care about its migration, right? Or what am I missing?

Ah, now that you say so. I never read it that way. But true.

Then it is probably not more than a 'git merge master' to get the latest
jabberd2 on EPEL-7. If you want you can update it for EPEL-7.

Adrian

Re: Questions...

[Adrian Reber]

On Thu, Apr 14, 2016 at 10:49:30AM +0200, Matěj Cepl wrote:
> On 2016-04-14, 06:27 GMT, Adrian Reber wrote:
> > On Wed, Apr 13, 2016 at 09:19:45AM -0700, John Oliver wrote:
> >> 1) Is this project the 'jabberd' that's available in EPEL?
> >
> > I can answer that one. jabberd in EPEL is jabberd2. As it is EPEL it
> > will not see as many updates as the upstream package
> 
> I agree that I would keep EPEL-6 (or even EPEL-5) untouched just 
> with possible security patches, but it seems to me that rebase 
> in EPEL-7 would not be the worst idea. What do you think? I am 
> willing to help with patching.
> 
> Do we know what is the upgrade story? Does the latest jabberd2 
> just takes over the original configuration?

In the configuration I am running jabberd2 on Fedora I did not have many
(maybe any) upgrading the last few versions. EPEL-7 would be an upgrade
from 2.3.2 to 2.3.6. It probably depends on the installation and which
backends are used if the upgrade. Looking at

 https://github.com/jabberd2/jabberd2/blob/master/NEWS

it seems upgrading from 2.3.4 to 2.3.5 can require database changes. Not
sure how to handle this. But we can try.

Adrian

Re: Questions...

[Adrian Reber]

On Wed, Apr 13, 2016 at 09:19:45AM -0700, John Oliver wrote:
> 1) Is this project the 'jabberd' that's available in EPEL?

I can answer that one. jabberd in EPEL is jabberd2. As it is EPEL it
will not see as many updates as the upstream package

Adrian

Re: jabberd-2.3.6 release

[Adrian Reber]

On Mon, Feb 29, 2016 at 01:46:12PM +0100, Tomasz Sterna wrote:
> W dniu 29.02.2016, pon o godzinie 13∶14 +0300, użytkownik
> ungifte...@gmail.com napisał:
> > > Next jabberd2 release is available.
> > 
> > Have to emerge autoconf-archive for new coloring feature
> 
> Do you build from bare GitHub source?
> 
> This macro should get included to the release archive which do not
> require any autotools packages installed for building.

I got the same error building the package on Fedora. I had to run
autoreconf on 2.3.5 as I was getting libtool errors like "Version
mismatch error.". Which were removed by running autoreconf.

Updating to 2.3.6 gave me then above error during configure, which was
resolved by removing the autoreconf I introduced earlier.

So, no problems on my side anymore. Just wanted to mention that I saw
the same error as the original poster.

Adrian

systemd unit files

[Adrian Reber]

I have a simple patch which includes the systemd unit files from the
fedora package into jabberd2 at:

https://lisas.de/git/?p=jabberd2.git;a=commitdiff;h=c78c0f4a68cda23ce5d43153da5e73c0c0472de1

Adrian

Re: releases plans

[Adrian Reber]

On Wed, Mar 21, 2012 at 04:17:02PM +0100, Tomasz Sterna wrote:
> Dnia 2012-03-21, śro o godzinie 15:13 +0100, Adrian Reber pisze:
> > Seeing all the changes which have been committed since 2.2.14
> > I am wondering if there are any plans for a new release?
> 
> Yes... I have one more feature in cooking though.
> 
> Once it is done it may even yeld a 2.3 release :-)
> 
> But since you mentioned... It may be worthwhile to do one more 2.2 line
> release with already committed bugfixes.
> 
> What do you think, community?

I am all for a new release. That was the reason for my question.

Adrian

releases plans

[Adrian Reber]

Seeing all the changes which have been committed since 2.2.14
I am wondering if there are any plans for a new release?

Adrian

Re: jabberd2 2.2.7.1-2 with db fails

[Adrian Reber]

On Tue, Apr 21, 2009 at 09:15:20PM +0100, Jorge Salamero Sanz wrote:
> 
> i'm using jabberd2 2.2.7.1-2 with libdb4.4 (4.4.20-11) and sm fails with:
> 
> jabberd2-sm: symbol lookup error: /usr/lib/jabberd2/storage_db.so: undefined 
> symbol: ser_string_set
> 
> which libdb version should we use ?

Are you compiling jabberd yourself or are you using it from a
distribution. From what you are writing it sounds a lot like you are
using it from a distribution and then I would say they should get a
bug report. I would expect that the depsolver (apt-get, yum, something)
should install the correct libraries.

Adrian

-- 
To unsubscribe send a mail to jabberd2+unsubscr...@lists.xiaoka.com

Re: [jabberd2] Hi ....

[Adrian Reber]

On Mon, Dec 22, 2008 at 05:01:54AM -0800, Raghu wrote:
> I have installed jabberd-2.2.4 via rpm and the server
> is starting after configuring, the problem is when i
> try to connect from client (exodus) or any other
> client software. it gets connect then its not able to
> the user or create the new user. I have follwed the
> document from
> http://jabberd2.xiaoka.com/wiki/InstallGuide/InstallJabberd2
> the log message int he server as follows.
> 
> using MYSQL as database and authentication.
> 
[...]
> 
> from client ( exodus ) the error is
> An error accourred trying to register new account.
> This server may not allow open register. 

Have you enabled account registration in c2s.xml?

Adrian

-- 
To unsubscribe send a mail to jabberd2+unsubscr...@lists.xiaoka.com

Re: [jabberd2] compile probs

[Adrian Reber]

On Tue, Oct 21, 2008 at 12:02:46PM +0200, Tomasz Sterna wrote:
> Dnia 2008-10-20, pon o godzinie 15:32 -0700, Bazooka Joe pisze:
> > configure: error: no SASL backend available out of: gsasl
> > 
> > I installed the cyrus-sasl-devel but to no avail
> 
> You need gsasl-devel

Which could be hard on centos. I have not seen recent enough gsasl
packages for centos. You probably have to compile it yourself.

Adrian

-- 
To unsubscribe send a mail to [EMAIL PROTECTED]

Re: [jabberd2] compile probs

[Adrian Reber]

On Mon, Oct 20, 2008 at 12:03:38PM -0700, Bazooka Joe wrote:
> I get this error in configure
> 
> configure: error: Expat not found
> 
> but my centos system says
> 
> Package expat - 1.95.8-8.2.1.x86_64 is already installed.
> 
> I don't compile programs very often so any help would be appreciated.

Install expat-devel.

Adrian

-- 
To unsubscribe send a mail to [EMAIL PROTECTED]

Re: [jabberd2] Trouble with installation and gsasl

[Adrian Reber]

On Mon, Aug 25, 2008 at 10:13:02PM +0200, Thomas Kerkmann wrote:
> Yes, libgsasl is installed in /usr/lib64
> 
> So I changed everything to point there
> 
> [EMAIL PROTECTED] jabberd-2.2.3]# ./configure --enable-sqlite  --enable-ssl \
>   --with-extra-include-path=/usr/local/include \
>   --with-extra-library-path=/usr/lib64
> 
> [EMAIL PROTECTED] jabberd-2.2.3]# cat /etc/ld.so.conf
> include ld.so.conf.d/*.conf /usr/lib64

You give us very little information about your system. But could it be
that your distribution has an older version of gsasl installed which is
found by the configure script?

and please, do not top post on mailing lists
http://en.wikipedia.org/wiki/Posting_style ;-)

Adrian

-- 
To unsubscribe send a mail to [EMAIL PROTECTED]

Re: [jabberd2] Trouble with installation and gsasl

[Adrian Reber]

On Mon, Aug 25, 2008 at 08:41:03PM +0200, Thomas Kerkmann wrote:
> Thanks for replying, but nope
> 
> [EMAIL PROTECTED] jabberd-2.2.3]# ./configure --enable-sqlite --enable-ssl
> --with-extra-include-path=/usr/local/include
> --with-extra-library-path=/usr/local/lib
> 
> checking for stringprep_check_version in -lidn... yes
> checking for Libidn version >= 0.3.0... yes
> checking for dns_init in -ludns... yes
> checking gsasl.h usability... yes
> checking gsasl.h presence... yes
> checking for gsasl.h... yes
> checking for gsasl_check_version in -lgsasl... yes
> checking for GnuSASL version >= 0.2.27... no
> configure: error: no SASL backend available out of: gsasl
> [EMAIL PROTECTED] jabberd-2.2.3]# gsasl --version
> gsasl (GNU SASL) 0.2.27
> Copyright (C) 2008 Simon Josefsson.
> License GPLv3+: GNU GPL version 3 or later
> 
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
> 
> Written by Simon Josefsson.
> [EMAIL PROTECTED] jabberd-2.2.3]# cat /etc/ld.so.conf
> include ld.so.conf.d/*.conf /usr/local/lib
> [EMAIL PROTECTED] jabberd-2.2.3]# 
> 
> BTW, this is an x86_64 system.

And where is libgsasl installed? If it is a 64 bit system I would expect
it to be in /lib64 and not /lib

Adrian




> -Ursprüngliche Nachricht-
> Von: Tomasz Sterna [mailto:[EMAIL PROTECTED] 
> Gesendet: Sonntag, 24. August 2008 23:31
> An: jabberd2@lists.xiaoka.com
> Betreff: Re: [jabberd2] Trouble with installation and gsasl
> 
> Dnia 2008-08-24, nie o godzinie 10:19 +0200, Thomas Kerkmann pisze:
> > checking for GnuSASL version >= 0.2.27... no
> > configure: error: no SASL backend available out of: gsasl
> > 
> > [EMAIL PROTECTED] jabberd-2.2.3]# gsasl --version gsasl (GNU SASL) 
> > 0.2.27
> [...]
> > Can anybody help me out here please - what am I missing
> 
> http://jabberd2.xiaoka.com/ticket/98#comment:3 ?

--
To unsubscribe send a mail to [EMAIL PROTECTED]

Re: [jabberd2] Jabberd2 Debian package

[Adrian Reber]

On Wed, Aug 06, 2008 at 10:15:21AM +0200, Harald Braumann wrote:
> Jabberd2 is back in Debian main, as Jorge Salamero Sanz announced in a
> previous post -- well, maybe not so much announced but hid in a
> btw-clause. Still, it's great news.
> 
> I myself maintained an unofficial jabberd2 package on
> debian.unheit.net. I don't know if many people besides me used it,
> but anyway it will be discontinued. I'd rather contribute to the
> official package. 

I am maintaining jabberd for Fedora, but since 2.2.0 I have not updated
anymore because I cannot connect to jabberd with pidgin.

http://developer.pidgin.im/ticket/6394

Does this problem also exists on debian?

Adrian

-- 
To unsubscribe send a mail to [EMAIL PROTECTED]

Re: [jabberd2] Problems with 2.2.1

[Adrian Reber]

On Mon, Jul 21, 2008 at 03:08:14PM +0200, Tomasz Sterna wrote:
> Dnia 2008-07-21, pon o godzinie 10:05 +0200, Adrian Reber pisze:
> > Is this a known problem? Any other information required?
> 
> http://developer.pidgin.im/search?q=ssl+wrong+version
> +number&noquickjump=1&ticket=on&doxygen=on&wiki=on
> 
> I think it's not yet reported.

Now, it is: http://developer.pidgin.im/ticket/6394

Adrian

-- 
To unsubscribe send a mail to [EMAIL PROTECTED]

[jabberd2] Problems with 2.2.1

[Adrian Reber]

Hi

with 2.2.0/2.2.1 I can connect with PSI but it fails with pidgin-2.4.3 with
following error:

sx (io.c:212) passed 126 read bytes
sx (chain.c:93) calling io read chain
sx (ssl.c:380) in _sx_ssl_rio
sx (ssl.c:384) loading 126 bytes into ssl read buffer
sx (ssl.c:462) openssl error: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong 
version number
sx (ssl.c:466) tag 27 event 8 data 0xbfde9100
Mon Jul 21 09:59:00 2008 [notice] [27] [127.0.0.1, port=42349] error: SSL 
handshake error (error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version 
number)
sx (error.c:79) prepared error: error:1408F10B:SSL 
routines:SSL3_GET_RECORD:wrong version 
number 

Is this a known problem? Any other information required?

Adrian

-- 
To unsubscribe send a mail to [EMAIL PROTECTED]

Re: [jabberd2] CLOSE_WAIT after SSL handshake errors

[Adrian Reber]

On Tue, Jan 29, 2008 at 09:48:12AM -0800, Michiel Frishert wrote:
> Do you mean just the SSL error? Or also the CLOSE_WAIT state on the
> associated socket?

I never looked at associated socket until now and if I get a SSL error
the server socket stays at CLOSE_WAIT and the client socket hangs at
FIN_WAIT2 until I kill c2s. With pidgin I get very often SSL (wrong
version number) but never with psi. The first connect of a fresh
jabberd-2.1.22 usually works with pidgin and then it starts to happen
very often.

> On 1/29/08, Adrian Reber <[EMAIL PROTECTED]> wrote:
> >
> > On Mon, Jan 28, 2008 at 06:26:31PM -0800, Michiel Frishert wrote:
> > > and very rarely:
> > > SSL handshake error (error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
> > > version number)
> >
> > I am also seeing this with 2.1.21 sometimes. Especially with pidgin. In
> > my tests it seems like psi does not have this problem in contrast to
> > pidgin.

Adrian
___
Jabberd2 mailing list
Jabberd2@lists.xiaoka.com
http://lists.xiaoka.com/listinfo.cgi/jabberd2-xiaoka.com

Re: [jabberd2] CLOSE_WAIT after SSL handshake errors

[Adrian Reber]

On Mon, Jan 28, 2008 at 06:26:31PM -0800, Michiel Frishert wrote:
> and very rarely:
> SSL handshake error (error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong 
> version number)

I am also seeing this with 2.1.21 sometimes. Especially with pidgin. In
my tests it seems like psi does not have this problem in contrast to
pidgin.

Adrian
___
Jabberd2 mailing list
Jabberd2@lists.xiaoka.com
http://lists.xiaoka.com/listinfo.cgi/jabberd2-xiaoka.com

[jabberd2] verifiy mode in c2s

[Adrian Reber]

I am maintaining jabberd for Fedora and I am currently looking into why
the verify-mode parameter is not working. The current code still uses
the verfiy-mode parameter from the old 5223 SSL code path.

Following patch seems necessary which just moves the reading of
verify-mode a bit up.

--- jabberd-2.1.20/c2s/main.c   2007-12-27 18:52:04.0 +0100
+++ /tmp/main.c 2008-01-08 11:11:24.433818914 +0100
@@ -241,9 +242,11 @@

 host->host_pemfile = j_attr((const char **) elem->attrs[i], "pemfile");

+host->host_verify_mode = j_atoi(j_attr((const char **) elem->attrs[i], 
"verify-mode"), 0);
+
 #ifdef HAVE_SSL
 if(c2s->sx_ssl == NULL && host->host_pemfile != NULL) {
-c2s->sx_ssl = sx_env_plugin(c2s->sx_env, sx_ssl_init, 
host->host_pemfile, NULL, c2s->local_verify_mode);
+c2s->sx_ssl = sx_env_plugin(c2s->sx_env, sx_ssl_init, 
host->host_pemfile, NULL, host->host_verify_mode);
 if(c2s->sx_ssl == NULL) {
 log_write(c2s->log, LOG_ERR, "failed to load %s SSL pemfile", 
host->realm);
 host->host_pemfile = NULL;
@@ -253,8 +256,6 @@

 host->host_require_starttls = (j_attr((const char **) elem->attrs[i], 
"require-starttls") != NULL);

-host->host_verify_mode = j_atoi(j_attr((const char **) elem->attrs[i], 
"verify-mode"), 0);
-
 host->ar_register_enable = (j_attr((const char **) elem->attrs[i], 
"register-enable") != NULL);
 host->ar_register_oob = j_attr((const char **) elem->attrs[i], 
"register-oob");
 if(host->ar_register_enable || host->ar_register_oob) {


Hope this is correct.

Adrian
___
Jabberd2 mailing list
Jabberd2@lists.xiaoka.com
http://lists.xiaoka.com/listinfo.cgi/jabberd2-xiaoka.com