Re: Stepping down

[Tomasz Sterna]

W dniu nie, 21.01.2018 o godzinie 15∶01 +0100, użytkownik Alexandre
Jousset napisał:

>   Has anyone already shown interest to become the new maintainer?

Nope.
As you can see on GitHub, activity recently was close to none.


>   I don't know if I'm skilled enough but instead of letting it
> die, I would like to become the maintainer if nobody with better
> skills wants to :-)

Judging by your contributions to jabberd2, I see no problem in passing
the project to you.


>   BTW I was recently doing some load test and having thought
> about solving the SPOF of the router process, [...]

We already had a _lengthy_ discussion on list on my vision how to
multiply the router:
https://www.mail-archive.com/jabberd2@lists.xiaoka.com/msg01909.html

Your work still lives in:
https://github.com/jabberd2/jabberd2/tree/mesh


But my latest approach was to ditch the router component in favor to
message bus (using 0MQ). See discussion at
https://gitter.im/jabberd2/jabberd2?at=56b8b4e9939ffd5d15f671e1

This is what https://github.com/jabberd2/jabberd2/commits/ashnazg
branch implemented and jabberd3 code (which was born of ashnazg branch) was 
going for.


>   In any case I wish you the best for the future :-)

Thanks. ☺

Re: Stepping down

[Tomasz Sterna]

W dniu nie, 21.01.2018 o godzinie 01∶34 +0100, użytkownik Matěj Cepl
napisał:
> On Sat, 2018-01-20 at 23:57 +0000, Tomasz Sterna wrote:
> > - https://github.com/smokku/jabberd3
> > - https://github.com/smokku/traffx
> 
> But both of these projects are already dead, aren't they? (You
> seemed to indicate you are leaving XMPP world as such)

I won't be developing these anymore, (in fact I wasn't for some time
now), thus there is no reason for these to sit on my HDD.

I opened the source so anyone could pick it up and make something
usefull of these.

Stepping down

[Tomasz Sterna]

Hello.

This e-mail is to make it official, that I am stepping down as a
maintainer of jabberd2 project.

Over the years my interests drifted away from Jabber/XMPP and in fact I
wasn't contributing much to the project lately.
I did my best to accept the submissions, but not much more.
This situation does not benefit the project, nor me, so it is time to
oficially step down.

Directly related to this, I will be shutting down all my XMPP related
services - including this mailing list, as the virtual machine hosting
it is going away. It is financed up to end of February, so expect it to
go down during March 2018.


As a consolation, I am opening the source of other XMPP servers I've
been working over the years. These are provided as-is at the current
stage of development. Both are working and able to participate in XMPP
Federation.

- https://github.com/smokku/jabberd3
  my work to modernize jabberd2 and merge some of jabberd14 code

- https://github.com/smokku/traffx
  Node.js/node-xmpp based server to be deployed in The Cloud


This was hell of a journey. 😄
Best regards to all I crossed paths with and best wishes.


-- 
smoku @ http://abadcafe.pl/ @ http://xiaoka.com/

Re: WebSocket port?

[Tomasz Sterna]

W dniu sob, 23.12.2017 o godzinie 17∶05 -0500, użytkownik James
Bellinger napisał:
> I added  to the c2s configuration, but as far as I can
> tell, no new ports are open and nothing has changed.
> 
> How do I specify a port etc. for wss:// ?

jabberd2 autodetects HTTP on standard C2S port.

It was mostly usefull to listen C2S on 80/443 to bypass firewalls and
redirect real HTTP connections to real HTTP server.

This mechanism allows now to autodetect WebSocket on standard C2S port.
So you just use ws://example.com:5222/ and wss://example.com:5223/
As simple as that.

Of course you can enable C2S listener on any non-standard port like
5280 etc.





-- 
smoku @ http://abadcafe.pl/ @ http://xiaoka.com/

Re: disable TLS 1.0

[Tomasz Sterna]

W dniu czw, 20.07.2017 o godzinie 14∶48 +0300, użytkownik Alexander
Velin napisał:
> How does one configure available SSL protocols (not ciphers), in 
> particular, to disable TLS 1.0 and leave only 1.1 and 1.2 ?

You need to compile with ./configure --enable-experimental flag.

https://github.com/jabberd2/jabberd2/commit/ee0f2ce8b148f0476ee9c41c071873c79751c0d9#diff-a4bd824bd7667649eaaadceaf81d55efR661


-- 
 /o__ 
(_<^' You're already carrying the sphere!

jabberd-2.6.1 release

[Tomasz Sterna]

It is time for next jabberd2 release.

Get 2.6.1 release at GitHub:
https://github.com/jabberd2/jabberd2/releases


This is a security bugfix release.

Make sure to read the NEWS before upgrade:
https://github.com/jabberd2/jabberd2/blob/jabberd-2.6.1/NEWS


This release fixes a bug allowing anyone to authenticate using SASL
ANONYMOUS, even when sasl.anonymous c2s.xml option is not enabled.

https://github.com/jabberd2/jabberd2/commits/jabberd-2.6.1







-- 
smoku @ http://abadcafe.pl/ @ http://xiaoka.com/

ANONYMOUS auth bug

[Tomasz Sterna]

Current 2.6.0 release has some kind of bug, that allows ANONYMOUS login
even when sasl.anonymous is disabled in c2s.xml.

Yesterday I noticed, that spammers are using this bug to send spam via
my server, using ANONYMOUS logins.

I am working on a fix.
This mail is to serve as a warning.

I've been able to workaround this bug by disabling "auto-create" in
sm.xml, so the spammer can log in ANONYMOUS, but is not able to create
SM session for not-existing account.

Will keep you informed about a progress of the fix.


-- 
smoku @ http://abadcafe.pl/ @ http://xiaoka.com/

jabberd-2.6.0 release

[Tomasz Sterna]

It is time for next jabberd2 release.

Get 2.6.0 release at GitHub:
https://github.com/jabberd2/jabberd2/releases


This is a bugfix release.

Make sure to read the NEWS before upgrade:
https://github.com/jabberd2/jabberd2/blob/jabberd-2.6.0/NEWS


Changes:
 * Better SASL error messages

https://github.com/jabberd2/jabberd2/commits/jabberd-2.6.0






-- 
smoku @ http://abadcafe.pl/ @ http://xiaoka.com/

jabberd-2.6.0 release

[Tomasz Sterna]

It is time for next jabberd2 release.

Get 2.6.0 release at GitHub:
https://github.com/jabberd2/jabberd2/releases


This is a bugfix release.

Make sure to read the NEWS before upgrade:
https://github.com/jabberd2/jabberd2/blob/jabberd-2.6.0/NEWS


Changes:
 * Better SASL error messages

https://github.com/jabberd2/jabberd2/commits/jabberd-2.6.0






-- 
smoku @ http://abadcafe.pl/ @ http://xiaoka.com/

Re: New website look

[Tomasz Sterna]

W dniu 09.01.2017, pon o godzinie 12∶58 +0300, użytkownik Eugene
Agafonov napisał:
> I've got two columns on not-quite-wide-window and have to scroll
> screen twice for each column to observe whole content.
> I've got three columns on a-bit-wider-window  and still see scrollbar
> :-)
> 
> Was it intentional?

Yes. The column width is fixed for comfortable reading.
If you have enough horizontal space you may even have 4 columns. ☺



-- 
 /o__ Universities are places of knowledge. The freshman each bring a little
(_<^' in with them, and the seniors take none away, so knowledge accumulates.

New website look

[Tomasz Sterna]

Hello.

I got bored with the look of http://jabberd2.org which was something
looking like taken straight from the 80s ;-), so I took an attempt of
making it more modern.

Hope you like it.


-- 
smoku @ http://abadcafe.pl/ @ http://xiaoka.com/

signature.asc
Description: This is a digitally signed message part

jabberd-2.5.0 release

[Tomasz Sterna]

It is about time for next jabberd2 release.

Get 2.5.0 release at GitHub:
https://github.com/jabberd2/jabberd2/releases


This is a bugfix release.

Make sure to read the NEWS before upgrade:
https://github.com/jabberd2/jabberd2/blob/jabberd-2.5.0/NEWS


Changes:
 * Do not attempt to reload SM modules on SIGHUP
 * Cleanup config files example
 * Fixed memory leak in pgsql storage driver
 * Fixed two double-frees caused by dangling pointers
 * Fixed c2s logger initialization point

https://github.com/jabberd2/jabberd2/commits/jabberd-2.5.0



-- 
 /o__ Going to church does not make a person religious, nor does going to school
(_<^' make a person educated, any more than going to a garage makes a person a 
car.

signature.asc
Description: This is a digitally signed message part

Re: sm crashing on startup

[Tomasz Sterna]

W dniu 03.01.2017, wto o godzinie 23∶35 -0500, użytkownik Greg Troxel
napisał:
>  Jabberd mostly works fine, but on boot sm
> crashes.  I have adjusted sequencing, although in theory it should
> not matter

Does 48125019 [1] fix your issue?


[1] 
https://github.com/jabberd2/jabberd2/commit/48125019452e291b2c57275c789f3d7df87d7146


-- 
 /o__ 
(_<^' Good teaching is one-fourth preparation and three-fourths good theatre.

Re: Whitelisting?

[Tomasz Sterna]

W dniu 02.01.2017, pon o godzinie 23∶33 +0100, użytkownik Matěj Cepl
napisał:
> It is possible to allow messages from contacts on roster only.
> [...] I wondered whether you (or anybody else) could point me to
> some HOWTOs or examples?

http://xmpp.org/extensions/xep-0016.html#protocol-all Example 47.



-- 
 /o__ 
(_<^' Never buy from a rich salesman.

Re: Whitelisting?

[Tomasz Sterna]

W dniu 02.01.2017, pon o godzinie 19∶21 +0100, użytkownik Matěj Cepl
napisał:
> is it possible to use XEP-0191 to setup whitelist (i.e., default
> blocking, and whitelisting domains)?

You should rather use standard privacy lists. XEP-0016
It is possible to allow messages from contacts on roster only.


-- 
 /o__  Hegel was right when he said that we learn from history that man
(_<^'  can never learn anything from history. -George Bernard Shaw

Re: Cipher suites in Jabberd2, disabling RC4

[Tomasz Sterna]

W dniu 26.10.2016, śro o godzinie 13∶08 -0400, użytkownik Pete Fuller
napisał:
> I’m using jabberd version 2.4 from the EPEL repo on Centos7.

You're golden.
See: 
http://abadcafe.pl/post/136618589813/configure-jabberd-2-for-xmppnet-score-a


-- 
 /o__ 
(_<^'  Always be sincere, even when you don't mean it. -Irene Peter

signature.asc
Description: This is a digitally signed message part

Re: Stale c2s connection leads to loosing messages without any notice

[Tomasz Sterna]

W dniu 28.09.2016, śro o godzinie 15∶15 +0200, użytkownik Deweloper
napisał:
> IMHO in step 2 server should notice an error sending message to Bob 
> (detect stale connection), change it's state to "offline" and store
> the message for further delivery.

By design how TCP works, it is possible to detect a broken connection
only by writing to that connection.
And one write is not enough, because it will succeed even on half-
closed connections, as the bytes are passed to network buffers and sent
over the wire successfully.


> If that's impossible due to very long timeout, then the messages
> should still be kept in storage unless client acknowledges their
> receipt,

Unfortunately, there is no such feature built into XMPP.
If the message gets lost in transit, it is just gone. With no feedback.

You need to do active, client side acking as in XEP-0184 [1]. And then
it is the client responsibility to resend unacked messages.


> Or, at least, Alice should get "undelivered message" errors in step 4

Also, no such feature in XMPP.
The server has no way of knowing whether the message reached the
destination, without active recipient's application level cooperation.


> 
> Sadly, with the current approach the communication is simply
> unreliable.

Unfortunately, this is how it is.
TCP does not guarantee delivery [2] and so does not XMPP binding to
TCP.


[1] http://xmpp.org/extensions/xep-0184.html
[2] http://lkml.iu.edu/hypermail/linux/kernel/0106.1/1154.html

-- 
 /o__ "Zaphod grinned two manic grins, sauntered over to the bar 
(_<^' and bought most of it." 

signature.asc
Description: This is a digitally signed message part

Re: stale connections, keepalive?

[Tomasz Sterna]

W dniu 29.08.2016, pon o godzinie 12∶41 -0400, użytkownik Greg Troxel
napisał:
> dropping idle connections from its NAT table without
> > telling anyone, so later when mobile network closed a connection it
> > silently dropped RST packets not knowing who to NAT them to. [...]
> Are you saying that a cell provider tracks TCP state and when the
> data connection is lost sends RST packets for open connections?

I am blissfully oblivious to inner workings of wide area switching
networks, but it sure looked like so when I was investigating the
dangling connections issue.

And a quick look at PDP_context[1] gives impression that it has
specific knowledge of the established connections.

[1] https://en.wikipedia.org/wiki/GPRS_core_network#PDP_context

-- 
 /o__ 
(_<^'  All generalisations are dangerous, including this one.

signature.asc
Description: This is a digitally signed message part

Re: stale connections, keepalive?

[Tomasz Sterna]

W dniu 28.08.2016, nie o godzinie 22∶45 +0200, użytkownik Christof
Meerwald napisał:

> > I'm not sure [...]
> 
> Are you sure? [...]

😄



-- 
 /o__ 
(_<^' One good turn deserves another.

Re: stale connections, keepalive?

[Tomasz Sterna]

W dniu 27.08.2016, sob o godzinie 14∶55 -0400, użytkownik Greg Troxel
napisał:
>   should jabberd2 force TCP keepalive on?

I'm not sure whether it is possible.
At least on Linux it is a system-wide setting and requires root to
change.


>   should c2s (and s2s probably, but less likely to be an issue) close
>   client connections if it has not seen anything from the client in
> some time period, like 8h?
>   is there any expectation in the protocol that clients should be
> doing any application-level keep-alive?

jabberd2 has support for application layer keepalives.

See io.keepalive [1][2] options.
Setting this up will flush single whitespace character over the wire
when the connection dangs idle. This triggers the TCP layer connection
validation.


Having said that, I am running my server without both application layer
and TCP keepalives turned on and see no issues with dangling
connections.

But.. I had them a lot, when my server was behind a buggy Cisco router
doing NAT. It was dropping idle connections from its NAT table without
telling anyone, so later when mobile network closed a connection it
silently dropped RST packets not knowing who to NAT them to. This was
causing a lot of dangling connections on my server.

Maybe you should investigate your network before turning on keepalives
as they cause unnecessary data transfer and battery usage on the mobile
devices.


[1] https://github.com/jabberd2/jabberd2/blob/master/etc/c2s.xml.dist.in#L335
[2] https://github.com/jabberd2/jabberd2/blob/master/etc/s2s.xml.dist.in#L228

-- 
 /o__ Q: How many Zen masters does it take to screw in a light bulb?
(_<^' A: None. The Universe spins the bulb, and the Zen master stays out

signature.asc
Description: This is a digitally signed message part

Re: Future of jabberd

[Tomasz Sterna]

W dniu 30.05.2016, pon o godzinie 20∶05 +0200, użytkownik Tomasz Sterna
napisał:
> I am still not fond of the synchronous nature of storage interface,
> but changing this would require rewriting it from scratch.
> Also having an asynchronous interface for immediate in nature
> backends like file backend or BDB, would require arm twisting.

Let's have it in the open:
https://github.com/jabberd2/jabberd2/issues/120




-- 
smoku @ http://abadcafe.pl/ @ http://xiaoka.com/



signature.asc
Description: This is a digitally signed message part

Re: Future of jabberd

[Tomasz Sterna]

W dniu 31.05.2016, wto o godzinie 16∶31 +, użytkownik Shawn Debnath
napisał:
> Re 1. Merging separate daemons to one.
> I am not sure if merging them into one process is the best idea. It
> sure is convenient, but isolation is a nice thing to have. Specially,
> when you have unauthorized users hammering on C2S.

Oh. I wasn't clear on that.
You will have the option to choose which components you want to run in
process, so if you wish you can keep the current setup of having one
process for each component. Possibly on different machines.

I just want the simple setup to have the option to run all components
in one process.


-- 
smoku @ http://abadcafe.pl/ @ http://xiaoka.com/



signature.asc
Description: This is a digitally signed message part

Re: jabberd-2.4.0 release

[Tomasz Sterna]

W dniu 31.05.2016, wto o godzinie 00∶39 -0700, użytkownik
li...@lazygranch.com napisał:
> ./configure --with-extra-library-path /usr/local/lib --with-extra-
> include-path /usr/local/include
> yielded
> 
> checking build system type... /usr/local/lib
> configure: error: invalid value of canonical build

Double-dash options format is:
--long-option=value

So, you need:
./configure --with-extra-library-path=/usr/local/lib 
--with-extra-include-path=/usr/local/include


-- 
 /o__ In case of injury notify your superior immediately. He'll kiss it and
(_<^' make it better.

Re: Future of jabberd

[Tomasz Sterna]

W dniu 30.05.2016, pon o godzinie 10∶31 +0200, użytkownik Tomasz Sterna
napisał:
> 7. DBI interface to RDBM.

Just one more question.

Do you (ML) have a use case for having SM storage in SQL?
Is it just for distributed SM only?
Maybe it is not worth the effort and we should just drop it and embed
something like LMDB [1] in?

I do see value of having SQL backend for authreg, to integrate with
existing userbase, but SM storage? Does it really need to be
abstracted?


[1] https://en.wikipedia.org/wiki/Lightning_Memory-Mapped_Database

-- 
 /o__ 
(_<^'  The best cure for insomnia is to get a lot of sleep. -W.C. Fields



signature.asc
Description: This is a digitally signed message part

Re: Future of jabberd

[Tomasz Sterna]

W dniu 30.05.2016, pon o godzinie 12∶50 -0700, użytkownik
li...@lazygranch.com napisał:
> Do you really have to cache something in jabberd when the data can be
> pulled from the sql database? Sure the data has changed. But if you
> pull a fresh record each time, I don't see the issue.

Unfortunately RDBMs are notorious to be a choking point.
You just cannot fetch data over and over again and expect reasonable
preformance. This is the reason for raise of memcached, redis etc.

Also, see: https://metajack.wordpress.com/2008/08/26/choosing-an-xmpp-server/


-- 
 /o__ 
(_<^'  I must follow the people. Am I not their leader? -Benjamin Disraeli



signature.asc
Description: This is a digitally signed message part

Re: Future of jabberd

[Tomasz Sterna]

W dniu 30.05.2016, pon o godzinie 17∶38 +0300, użytkownik brahmann
napisał:
> Agree (web). [...] Its will be good for those who want it 
> but not in jabberd2 code inside.

I like how Cherokee web server does this:
It has a separate (written in Python) application for Web-based
configuration, which is started on-demand only for the time of the
configuration, listens on http://localhost:8090/ and is accessible with
one-time, generated password written to the console that started it.

Nevertheless this will require changes in how jabberd2 configuration is
handled, as the current state does not allow for runtime changes
without restarting the daemon.

The other approach is to allow restarting the daemon without loosing
user connections and sessions. But this could be even messier.


P.S. I usually start cherokee-admin via SSH and access it via ssh-
tunnel proxying remote machine localhost:8090 to my local machine
localhost:8090 :-)


-- 
 /o__ No discipline is ever requisite to force attendance upon lectures which 
are
(_<^' really worth the attending.



signature.asc
Description: This is a digitally signed message part

Re: Future of jabberd

[Tomasz Sterna]

W dniu 30.05.2016, pon o godzinie 15∶40 +0200, użytkownik Matěj Cepl
napisał:
>    https://metajack.wordpress.com/2008/08/26/choosing-an-xmpp-server/
>  
>    by heart, don't you? When doing large changes in the 
>    codebase, it would be probably prudent to take those 
>    objections into considertaion, especially database 
>    transaction “abuse”.

:-)
https://github.com/jabberd2/jabberd2/blob/master/etc/sm.xml.dist.in#L212

I am still not fond of the synchronous nature of storage interface, but
changing this would require rewriting it from scratch.
Also having an asynchronous interface for immediate in nature backends
like file backend or BDB, would require arm twisting.

But I do keep it in mind.



-- 
 /o__ "Zaphod grinned two manic grins, sauntered over to the bar 
(_<^' and bought most of it." 



signature.asc
Description: This is a digitally signed message part

Re: Future of jabberd

[Tomasz Sterna]

W dniu 30.05.2016, pon o godzinie 10∶00 -0700, użytkownik
li...@lazygranch.com napisał:
> That is one of the beauties of programs written around standard tools
> like ‎sql. You can hook into the database and add features, or not.

The issue with this approach is that SM component caches user data and
has no way of knowing that data was changed directly in database
backend.

http://martinfowler.com/bliki/TwoHardThings.html




-- 
smoku @ http://abadcafe.pl/ @ http://xiaoka.com/



signature.asc
Description: This is a digitally signed message part

Future of jabberd

[Tomasz Sterna]

There are some things we already talked about on Gitter channel [1],
but I would like to raise them on the ML for peer review.

As you can see from late activity, jabberd2 project is far from dead.
With the inclusion of new features like WebSocket support, C99 code
compatibility, IPv6 improvements, modern TLS handling, SASL Anonymous,
password hashing, CRAM-MD5 and more... it is not a stale codebase
anymore.

But it is far from modern too...
There are some changes I would like to introduce in the near future and
I would like to hear your thoughts about:

1. Merging separate daemons to one.
Current design of jabberd2 with separate router, sm, c2s, s2s processes
is designed to allow nice separation of concerns and distribution of
processing. Separate processes are proved to be better approach than
threads too.
But most installations of jabberd are not distributed, with one
instance of each component. Especially when c2s and sm got vhost
support and are able to handle more than one domain.
Also, modern OS architectures are tuned for event processing rather
than multithreading, so event based architecture is better suited for
them. Even jabberd2 process internally is event based on MIO.
So, it makes sense to allow for running all component instances in one
process, especially on amateur, low load servers.
Merging processes will allow for having one main loop only, so
maintaining bugfixes in it will be easier (main.c of all processes is a
copy-paste, with all the bugs, so bugs are also multiplied).

2. Phasing out MIO.
This is closely related to above. MIO used by jabberd2 does not have
clerar main loop support, which is implemented separately in each
component main.c and is hardly pluggable.
Also, the way MIO is implemented (in .h file, with platform specific
bits in .c) makes it a maintanance nightmare.
I would really like to replace it with a modern, upstream maintained
event library. The nicest one I know is libuv, which also gives us nice
platform independence layer.
I already have a working c2s port to libuv as a PoC.

3. Phasing out router.
router component is the one binding all the others.
In current design it is the single point of failure. Other components
already support multiple instances, but router proved to be difficult
to multiply.
The most radical, yet compelling solution to this problem is getting
rid of the router at all. There are many cooked solutions for local
packet distribution, which Local Message Bus [2] looks like most
promising solution. I would see either Mbus [3] or NN_BUS [4] taking
role of router component.
The added advantage of using a Message Bus is the ability to connect to
the bus with alternative implementations to perform own actions.
i.e. having the ability to use CLI tools to eavesdrop and send messages
to the bus proved to be priceless when I implemented a PoC of the Bus
in experimental jabberd branch.
Bus also solves the problem of distribution - it is up to the
deployment administrator whether one sets up local, one-machine only
bus or a network distributed one.

4. Configuration interface.
A the moment jabberd is configured with static XML files loaded at
daemon startup. It is close to impossible to change the values in
runtime, as random places of the process are using copies of values or
direct pointers to values from config structure.
This heavily impedes implementation of features such as XEP-0133
Service Administration or Web interface.
>From my experience, the best handling of such requirements is to
provide write-only/change-subscribe interface similar to GConf/dconf.
This interface does not allow reading on-demand of random values, but
allows only subscription to change and write-value + publish change.
This approach forces programmer to write value-change handlers in
application code, which allows changing the value by anyone at any
moment.
Do you know any standalone library that implements such approach,
or do I need to implement custom solution in jabberd codebase?

5. JavaScript support.
Let's face it - JavaScript is all the hype today :-) It also is a very
good language for data processing. I think it would be a good solution
for implementation of modern XEP logic in sm component.
sm is implemented in C with all RFC required logic, and all XEPs are
loadable modules to sm and these add JEP/XEP functionality.
Having an option to implement XEP logic in JS instead of plain C,
should speed up recent and experimental XEP adoption in jabberd.
This gives concerns to jabberd2 as an embedded server though - current
jabberd2 is perfectly able to work fine on low resource machines such
as DD-WRT router. Introducing heavy JS JIT machine could change that.
But with the raise of fast, embeddable JavaScript interpreters like
Duktape [5] it should be non-issue.

6. Proper logging.
jabberd2 has two logging facilities: log and debug_log, with log
logging only most interesting events and debug_log all the rest.
To aid debugging issues with your deployment you may enable -D

Re: jabberd-2.4.0 release

[Tomasz Sterna]

W dniu 28.05.2016, sob o godzinie 11∶48 -0700, użytkownik
li...@lazygranch.com napisał:
> Right. But what exactly do I update?

Sorry... I am a Linux guy, not familiar with FreeBSD internals.

But I am pretty sure, FreeBSD also has some kind of dynamic linker.
Seek its documentation.


> I don't understand this:
> > remember to update /etc/ld.so.conf too
> Common issue is to build jabberd2 against libraries in non-standard
> path and then jabberd2 fails to run, because dynamic linker cannot
> find
> these libraries.
> This is a reminder, to update dynamic linker configuration file.



-- 
smoku @ http://abadcafe.pl/ @ http://xiaoka.com/



signature.asc
Description: This is a digitally signed message part

Re: jabberd-2.4.0 release

[Tomasz Sterna]

W dniu 27.05.2016, pią o godzinie 23∶57 -0700, użytkownik
li...@lazygranch.com napisał:
> I don't understand this:
> remember to update /etc/ld.so.conf too

Common issue is to build jabberd2 against libraries in non-standard
path and then jabberd2 fails to run, because dynamic linker cannot find
these libraries.
This is a reminder, to update dynamic linker configuration file.


-- 
smoku @ http://abadcafe.pl/ @ http://xiaoka.com/



signature.asc
Description: This is a digitally signed message part

Re: jabberd-2.4.0 release

[Tomasz Sterna]

W dniu 27.05.2016, pią o godzinie 19∶14 -0700, użytkownik
li...@lazygranch.com napisał:
> Do you have both expat and its headers installed?
> Verify headers:
> /usr/local/include
> 
> So is this a flag or environment variable I need to set?

Yes.

$ ./configure --help
[...]
  --with-extra-include-path
  use additional include paths
  --with-extra-library-path
  use additional library paths (remember to
update
  /etc/ld.so.conf too)



-- 
smoku @ http://abadcafe.pl/ @ http://xiaoka.com/



signature.asc
Description: This is a digitally signed message part

Re: jabberd-2.4.0 release

[Tomasz Sterna]

W dniu 27.05.2016, pią o godzinie 00∶09 -0700, użytkownik
li...@lazygranch.com napisał:
> Actually I had downloaded  jabberd-2.4.0.tar.gz. [...]
> Doing some internet search, it is suggested the procedure should be:
> aclocal
> automake --add-missing
> autoconf
> ./configure

Using jabberd-2.4.0.tar.gz you do not need to do autotools stuff.
Just:

./configure
make
sudo make install


> I get this error message:
> --
> checking for XML_ParserCreate in -lexpat... no
> configure: error: Expat not found

configure cannot find Expat [1].
Do you have both expat and its headers installed?

[1] http://www.libexpat.org/

-- 
 /o__ 
(_<^'  Honk if you are against noise pollution!



signature.asc
Description: This is a digitally signed message part

Re: jabberd-2.4.0 release

[Tomasz Sterna]

W dniu 26.05.2016, czw o godzinie 19∶46 -0700, użytkownik
li...@lazygranch.com napisał:
> This is from my attempt to compile the tar.gz file after doing
> autoreconf -i
> ./configure
> 
> I get
> ./configure: 12735: Syntax error: word unexpected (expecting ")")


Do not use the source labeled "Source code (tar.gz)" - this is plain
git source dump, not ready for direct consumption.

Use the source labeled jabberd-2.4.0.tar.xz or jabberd-2.4.0.tar.gz
(the ones with .asc signatures). These are prepared, with ./configure
script etc. generated.



P.S. or install autoconf-archive package

-- 
 /o__ 
(_<^'  As famous as the unknown soldier.



signature.asc
Description: This is a digitally signed message part

Re: Trying to unsubscribe

[Tomasz Sterna]

W dniu 24.05.2016, wto o godzinie 03∶24 +0100, użytkownik David
Woodfall napisał:
> I've tried 2 or 3 times to unsubscribe from this list. Each time I
> get acknowledgement that I have done so, but I still receive mail.
> The list owner address doesn't seem to exist too.
> If a list admin reads this, please unsubscribe me.

Should be fixed now. SELinux intervened... ;-)
Thanks for the report.

I just went through whole subscribe-confirm-unsubscribe-confirm process
without issues.


-- 
 /o__ 
(_<^' A Fortran compiler is the hobgoblin of little minis.

Re: Trying to unsubscribe

[Tomasz Sterna]

W dniu 24.05.2016, wto o godzinie 01∶23 -0300, użytkownik Marco
Bertolaccini napisał:
> Hi. I want to unsubscribe too.

Every message distributed by this list has the following headers:

List-Id: jabberd2-lists.xiaoka.com
List-Post: 
List-Help: 
List-Unsubscribe: 
List-Subscribe: 


-- 
 /o__ 
(_<^'  Honk if you are against noise pollution!



signature.asc
Description: This is a digitally signed message part

Re: jabberd-2.4.0 release

[Tomasz Sterna]

W dniu 23.05.2016, pon o godzinie 15∶38 -0400, użytkownik Greg Troxel
napisał:
> Does this imply that it should be safe, aside from cautions in NEWS,
> to update a machine running 2.3.x to 2.4.0?

Yes. No breaking changes.

> Often a minor version change indicates something more dramatic than
> bugfixes, so I thought I would ask.

I am attempting to follow http://semver.org/ so every release should
bring up MINOR number, with PATCH reserved for fixing screw-ups in
MINOR release.

2.4.0 fixes bugs in XMPP/XEP/daemons implementation, not in the release
process itself.

So, expect 2.5.0 to follow up, not 2.4.1.



-- 
 /o__ 
(_<^' Captain's Log, star date 21:34.5...



signature.asc
Description: This is a digitally signed message part

jabberd-2.4.0 release

[Tomasz Sterna]

Next jabberd2 release is available.

Get 2.4.0 release at GitHub:
https://github.com/jabberd2/jabberd2/releases


This is a bugfix release.

Make sure to read the NEWS before upgrade:
https://github.com/jabberd2/jabberd2/blob/jabberd-2.4.0/NEWS


Changes:
 * Check for C99 support in compiler
 * Count RIO bytes and check against max stanza size
 * Gracefully drop unhandled HTTP connections
 * wss:// (WebSocket over SSL) support in c2s
 * Allow BareJID S10N packets
 * Fallback to connecting S2S using local.ip when none of the origin.ip
   works
 * Removed explicit SQLite transactions
 * SQLite postconnect SQL support
 * SQLite DB setup script improvements
 * Many Coverity Scan and cppcheck detected issues fixed
 * Properly lowercase SASL mechanisms in c2s
 * Support out-of-source build

https://github.com/jabberd2/jabberd2/commits/jabberd-2.4.0



-- 
smoku @ http://abadcafe.pl/ @ http://xiaoka.com/



signature.asc
Description: This is a digitally signed message part

Re: online/offline with a pipe in SM

[Tomasz Sterna]

W dniu 12.05.2016, czw o godzinie 15∶52 +0200, użytkownik Igor Zarraga
napisał:
> For me it would be good to have a module of SM to make a pipe and
> send online/offline events of sessions to another system (like
> authreg_pipe).  Perphaps it block sm sending these events and affect
> to scalability of the system.

This is a cool idea.

Please create a feature request on:
 https://github.com/jabberd2/jabberd2/issues/new
and I will see into this.


-- 
smoku @ http://abadcafe.pl/ @ http://xiaoka.com/



signature.asc
Description: This is a digitally signed message part

Re: self signed cert

[Tomasz Sterna]

W dniu 03.05.2016, wto o godzinie 16∶51 -0700, użytkownik
li...@lazygranch.com napisał:
> I know when I used a web hosting company to handle my email, I would
> yearly have to blindly trust the new cert.

And this exact behavior I'd like to erradicate.

Most users do not bother to check whether they are blindly accepting
right certificate, or the certificate provided by middle-man.



-- 
smoku @ http://abadcafe.pl/ @ http://xiaoka.com/



signature.asc
Description: This is a digitally signed message part

Re: self signed cert

[Tomasz Sterna]

W dniu 03.05.2016, wto o godzinie 12∶34 -0700, użytkownik
li...@lazygranch.com napisał:
> I'm not following you here. You still have encryption with a self
> signed cert, but no trust. But if you can't trust yourself, who else
> can you trust? 

If you have a reliable way of distributing your certificate, then yes.
But then you are acting as an CA, so why don't use a real one?

But if you just accept whatever cert server provides you with (like
most people connecting self-signed service), then you have no more
protection than on unencrypted connection.


> On public wifi without the self signed cert, the conversation could
> be read, not to mention login credentials.

Using man-in-the-middle attack, even the encrypted conversation could
be read - see above scenario with accepting server provided cert.

And the default configuration of jabberd2 is not to allow plain text
passwords on unencrypted channel, so you cannot read the login
credentials.


> Take "letsencrypt" for example. Prior to adding their certificates to
> my root store, I could still get encryption, provided I let my
> browser go ahead. I just could trust the website identity. 

But you are not sure the identity. You could aswell trust the man-in-
the-middle proxying your communication and posing as the website.


> The Hong Kong Post Office is a CA, but I don't really trust them. ;-
> )‎ 

Why?
They passed the audit checking whether they reliably verify the
credentials before signing certs.


> But xmpp doesn't have the downgrade option. 

You do not need to downgrade to unencrypted channel. MITM can aswell
proxy an encrypted connection on both sides decrypting/encrypting on
flight. As long as clients accept self-signed certs blindly, without
consulting CA registry.



-- 
 /o__ Documentation is like sex: when it is good, it is very, very good; and
(_<^' when it is bad, it is better than nothing.



signature.asc
Description: This is a digitally signed message part

Re: self signed cert

[Tomasz Sterna]

W dniu 03.05.2016, wto o godzinie 09∶40 -0700, użytkownik
li...@lazygranch.com napisał:
> I suspect you wouldn't want s2s to use a self signed cert, so
> allowing two level of verification (c2s and s2s) sounds complex. You
> fix one thing in software and you break something else.

So, why would you allow self-signed on C2S?

Why do you want to use encryption in the first place?
So, no one is able to read the conversation, right?
But self-signed cert does not give you this... Just a false illusion
that you are protected from evesdropping.
But self-signed does not protect you from man-in-the-middle attack, so
basically still anyone able to tap the wire your transmission is going
through is able to read it, with just slightly more effort.


> I noticed the online documentation doesn't completely match the xml,
> but there are enough comments in the xml that I could get close to
> setting it up. It is just the certs that are confusing.

Yeah. The real and up to date source of documentation are the comments
in the configuration files.


-- 
 /o__ 
(_<^' Practice is the best of all instructors.



signature.asc
Description: This is a digitally signed message part

Re: self signed cert

[Tomasz Sterna]

W dniu 03.05.2016, wto o godzinie 02∶12 -0700, użytkownik
li...@lazygranch.com napisał:
> jabberd2 version(2.3.6)
> I followed these instructions:
> https://github.com/jabberd2/jabberd2/wiki/InstallGuide-OpenSSLConfigu
> ration
> [...]
> SM  : sx (ssl.c:405) secure channel not established, handshake in
> progress
> SM  : sx (ssl.c:59) verify error:num=18:self signed
> certificate:depth=0:/C=US/ST=state/L=city/O=none/OU=none
> /CN=mydomain.org/emailAddress=webmas...@mydomain.org
> 

I guess I could catch X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT (18)
in SSL_CTX_set_verify callback and pass the cert through,
but I'm ambivalent about it...

We should really discourage use of self-signed certificates.
On the other hand, it really speeds-up test deployments.

Maybe have it as an opition, to enable if you really-really need to use
self-signed certificates?

What do you think?


-- 
smoku @ http://abadcafe.pl/ @ http://xiaoka.com/



signature.asc
Description: This is a digitally signed message part

Re: self signed cert

[Tomasz Sterna]

W dniu 03.05.2016, wto o godzinie 06∶22 -0700, użytkownik
li...@lazygranch.com napisał:
> So the documentation on generating a self signed cert  is not
> correct.

It is (for the lack of better word) ancient.
Unfortunately, there is no one willing to work on improving it.


> Isn't the key generated in that document technically the root CA?‎ 

I think so.



-- 
 /o__ Q: What is the difference between a duck?
(_<^' A: One leg is both the same.



signature.asc
Description: This is a digitally signed message part

Re: self signed cert

[Tomasz Sterna]

W dniu 03.05.2016, wto o godzinie 02∶12 -0700, użytkownik
li...@lazygranch.com napisał:
> How exactly do I specify the cachain for a self signed cert.

You need to put your root CA used to sign the cert to the CA certs
store specified in 'cachain' option.

This is to encourage deployments to stop using self-signed certs, of
questionable security, and instead get a real cert.
You can get real, widely accepted certs for free.


> I get openssl error 18 meaning it can't be verified. Setting
> verify-mode='0' didn't help.

verify-mode sets how should the server verify client provided
certificates. 0 (SSL_VERIFY_NONE[1]) is the default.



[1] https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_verify.html

-- 
 /o__ 
(_<^' I respect faith, but doubt is what gives you an education.



signature.asc
Description: This is a digitally signed message part

Re: Can't log in;starttls;freebsd 10.2 ; jabberd2 version(2.3.6)

[Tomasz Sterna]

W dniu 01.05.2016, nie o godzinie 18∶57 -0700, użytkownik
li...@lazygranch.com napisał:
>  realm="MYDOMAIN>COM"
> permfile="/usr/local/etc/jabberd/jabber.pem"
> ciphers="TLSv1.2, TLSv1.0"

This is incorrect.
See: 
http://abadcafe.pl/post/136618589813/configure-jabberd-2-for-xmppnet-score-a

> require-starttls='true'

You require StartTLS, let's remember that.

> register-enable='false'
> password-change='false'

This is incorrect. These values work by setting them or not setting
them - the value itself is irrelevant.



> C2S : sx (io.c:301) encoding 250 bytes for writing:  version='1.0'?>
>  xmlns='jabber:client' from='MYDOMAIN.COM' version='1.0' 
> id='LONGRANDOM' xmlns:ack='http://www.xmpp.org/extensions/xep-0198.ht
> ml#ns'>;
> 
> C2S : sx (sasl.c:260) ssl not established yet but the app requires
> it, not offering mechanisms

Here's a first clue.
Your server said, that it require ssl, and your connection is not ssl
yet, so it wont offer any auth mechanisms.

Regardless that auth was not offered yet, your client attempted
authentication:

> C2S : sx (io.c:255) decoded read data (176 bytes):  id="_xmpp_auth1" 
> type="set"> xmlns="jabber:iq:auth">SOMEUSERPASSWOR
> D
> profanity

No wonder server borked on it.

> C2S : Mon May  2 01:08:12 2016 c2s.c:392 pre STARTTLS packet,
> dropping

It even gave you a plain text description what went wrong:

> C2S : sx (error.c:79) prepared error:  xmlns:stream='http://etherx.jabber.org/streams'>;
> 
> 
> STARTTLS is required for this stream
  


I suggest using a standard conformant XMPP client for your tests.
It shall make your live much easier. :-)



-- 
 /o__ Q: What's a light-year?
(_<^' A: One-third less calories than a regular year.

Re: Questions...

[Tomasz Sterna]

W dniu 13.04.2016, śro o godzinie 09∶19 -0700, użytkownik John Oliver
napisał:
> 2) Can jabberd2 authenticate against LDAP?

Yes it can.
Use authreg_ldap or authreg_ldapfull backend.


> 3) Can jabberd2 have users auto-join or automatically be buddies?

Kind of...
storage_ldapvcard module pulls roster items and groups from LDAP.
See sm.xml under "roster-publish".


-- 
 /o__ When someone says "I want a programming language in which I need only
(_<^' say what I wish done," give him a lollipop.

Re: Questions...

[Tomasz Sterna]

W dniu 14.04.2016, czw o godzinie 10∶49 +0200, użytkownik Matěj Cepl
napisał:
> Do we know what is the upgrade story? Does the latest jabberd2 
> just takes over the original configuration?

Upgrade path is documented:
https://github.com/jabberd2/jabberd2/blob/master/NEWS


-- 
 /o__ 
(_<^' Some people only open up to tell you that they're closed.

Re: Accepted presence subscription never signaled to the subscriber

[Tomasz Sterna]

W dniu 01.04.2016, pią o godzinie 15∶06 +0200, użytkownik Philipp Jacob
napisał:
>  from='localhost' to='localhost'>
>  type='subscribed' to='gloox@localhost'/>
> 
> sx (io.c:301) encoding 210 bytes for writing:  sx (io.c:255) decoded read data (210 bytes):
>  to='localhost' from='localhost'>
>    type='subscribed' from='user1@localhost/testclient'/>
> 
> (io.c:96) completed nad: https://github.com/jabberd2/jabberd2/issues/new


-- 
 /o__  A verbal contract isn't worth the paper it's written on. Include
(_<^'  me out. -Samuel Goldwyn



signature.asc
Description: This is a digitally signed message part

Re: Accepted presence subscription never signaled to the subscriber

[Tomasz Sterna]

W dniu 01.04.2016, pią o godzinie 11∶04 +0200, użytkownik Philipp Jacob
napisał:
> In the router's debug output I can see the incoming subscribed
> presence stanza from the contact:
> sx (io.c:255) decoded read data (323 bytes):  to='localhost'> sc:sm='621b457a7181f454ca07bb4326e73e67096ed383' sc:c2s='10'
> from='user1@localhost/testclient' type='subscribed'
> to='gloox@localhost'/>

I'm pretty sure the router routed it from 'c2s' to 'localhost' as
requested.

Take a look at sm debug log of 'localhost' to see what happened with
that stanza there.

According to RFC6121 3.1.5. server should:
Replace from='user1@localhost/testclient' with from='user1@localhost';
Then push roster item to all user1 (interested) resources;
And finally send presence to gloox.



-- 
 /o__  "I always avoid prophesying beforehand because it is much better
(_<^'  to prophesy after the event has already taken place. " - Winston

Re: jabberd-2.3.6 release

[Tomasz Sterna]

W dniu 29.02.2016, pon o godzinie 17∶35 +0300, użytkownik
ungifte...@gmail.com napisał:
> Yes, It's Gentoo specific. Sorry. 
> 
>   epatch "${FILESDIR}"/${P}-optimization.patch
>   eautoreconf

Doh... I should have removed that check long time ago...

Done: http://github.com/jabberd2/jabberd2/commit/7746da1


-- 
 /o__ 
(_<^' Any given program will expand to fill available memory.



signature.asc
Description: This is a digitally signed message part

Re: jabberd-2.3.6 release

[Tomasz Sterna]

W dniu 29.02.2016, pon o godzinie 13∶14 +0300, użytkownik
ungifte...@gmail.com napisał:
> > Next jabberd2 release is available.
> 
> Have to emerge autoconf-archive for new coloring feature

Do you build from bare GitHub source?

This macro should get included to the release archive which do not
require any autotools packages installed for building.


-- 
 /o__ Q: How many Martians does it take to screw in a light bulb?
(_<^' A: One and a half.

jabberd-2.3.6 release

[Tomasz Sterna]

Next jabberd2 release is available.

Get 2.3.6 release at GitHub:
https://github.com/jabberd2/jabberd2/releases


This is a major bugfix release.

The main change is that WebSocket connections are now fully working and
stable.
Also if you are using MUC, you want to upgrade as 2.3.5 direct presence
bug prevented users from entering MUC rooms.

Make sure to read the NEWS before upgrade:
https://github.com/jabberd2/jabberd2/blob/jabberd-2.3.6/NEWS


Changes:
 * Support WebSocket fragmented packets
 * Fixed delivering directed presence (to self)
 * Reset in-sess 'from' to FullJID on non-Presence packets

https://github.com/jabberd2/jabberd2/commits/jabberd-2.3.6



-- 
 /o__ 
(_<^'  It's more than magnificent - it's mediocre. -Samuel Goldwyn



signature.asc
Description: This is a digitally signed message part

jabberd-2.3.5 release

[Tomasz Sterna]

Next jabberd2 release is available.

Get 2.3.5 release at GitHub:
https://github.com/jabberd2/jabberd2/releases


This is a major bugfix release with a bit of new features.

It fixes recently discovered issue wit secure generation of dialback keys.
The user verification via email module should help with spam bots registrations.

Make sure to read the NEWS before upgrade:
https://github.com/jabberd2/jabberd2/blob/jabberd-2.3.5/NEWS


Changes:
 * Module to verify users using e-mail
 * Reordered MIO backends priority
 * Skip non-existing blowfish i386 assembler code
 * Use CSPRNG for dialback keys
 * Allow presence probing own connections
 * Use OpenSSL functions for base64 en/decoding when available
 * Option to dump packet-filter matched packets to file

For a full change log see:
https://github.com/jabberd2/jabberd2/commits/jabberd-2.3.5



-- 
 /o__ 
(_<^' It's ten o'clock; do you know where your processes are?



signature.asc
Description: This is a digitally signed message part

Re: missing presence packet

[Tomasz Sterna]

W dniu 04.12.2015, pią o godzinie 15∶05 -0500, użytkownik Stepan
Salenikovich napisał:
> So I'm looking for suggestions as to how this could be debuged... or
> any tips as to where to look.

Turn on debug logs -D on both c2s and sm and analyse what happens when
A logs back on.


-- 
 /o__ 
(_<^' I'm a soldier, not a diplomat. I can only tell the truth.



signature.asc
Description: This is a digitally signed message part

Re: Configuration of SSL?

[Tomasz Sterna]

W dniu 20.11.2015, pią o godzinie 15∶25 +0100, użytkownik Matěj Cepl
napisał:
> On 2015-11-19, 22:58 GMT, Tomasz Sterna wrote:
> > I have builds for recent Fedora versions on OBS [1], but
> 
> I prefer to help with maintaining true Fedora/EPEL packages.

Understandable.
Could you please add "--enable-mio" as in [1], because as it is now,
Fedora builds jabberd2 with select() backend, which gets laggy with
thousands of connections.

[1] 
https://build.opensuse.org/package/rdiff/home:smoku:jabberd/jabberd?linkrev=base&rev=11


P.S. These are official Fedora SRPMs, updated to latest source only.
I do not have a luxury to wait for Fedora to catch up after a release,
or a bugfix, so I need to build my own packages.

-- 
 /o__ 
(_<^'  We're overpaying him, but he's worth it. -Samuel Goldwyn



signature.asc
Description: This is a digitally signed message part

Re: Configuration of SSL?

[Tomasz Sterna]

W dniu 19.11.2015, czw o godzinie 20∶42 +0100, użytkownik Matěj Cepl
napisał:
> OK, then I doomed. :) Don't worry, I can live with a C mark
> pretty well.

I have builds for recent Fedora versions on OBS [1], but RHEL/Centos
are missing on crucial dependencies, so I cannot build for these.


[1] https://build.opensuse.org/project/repositories/home:smoku:jabberd

-- 
 /o__ "You're very sure of your facts, " he said at last, "I 
(_<^' couldn't trust the thinking of a man who takes the Universe 



signature.asc
Description: This is a digitally signed message part

Re: Configuration of SSL?

[Tomasz Sterna]

W dniu 18.11.2015, śro o godzinie 16∶19 +0100, użytkownik Matěj Cepl
napisał:
> > in c2s.xml in  section set:
> >
> >      >
> ciphers='ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES
> 12
> > 8:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS'
> >        >ceplovi.cz
> >
> > to get A score.
> 
> Which version of jabberd2 is required?

You need 2.3.4 minimum.


-- 
 /o__ %DCL-MEM-BAD, bad memory
(_<^' VMS-F-PDGERS, pudding between the ears



signature.asc
Description: This is a digitally signed message part

Re: Configuration of SSL?

[Tomasz Sterna]

W dniu 18.11.2015, śro o godzinie 11∶30 +0100, użytkownik Matěj Cepl
napisał:
> So, I would like to switch off RC4 which is really an obsolete
> nosense. With Apache I can do it in its configuration, is it 
> possible to do it somehow for jabberd2?

in c2s.xml in  section set:

    ceplovi.cz

to get A score.


-- 
 /o__ 
(_<^' Your education begins where what is called your education is over.



signature.asc
Description: This is a digitally signed message part

Re: XMPP SPAM

[Tomasz Sterna]

Dnia 2015-11-09, pon o godzinie 21:18 +0100, Simon Josefsson pisze:
> how people handle this?

My solution is:
# firewall-cmd --permanent --add-rich-rule="rule family=ipv4 source 
address=193.105.240.126 reject"


-- 
 /o__ Is truth not truth for all?
(_<^'  the Sky", stardate 5476.4.



signature.asc
Description: This is a digitally signed message part

Re: jabberd-2.3.4 release

[Tomasz Sterna]

Dnia 2015-10-30, pią o godzinie 15:45 +0300, ungifte...@gmail.com
pisze:
> 30.10.2015 12:17, Tomasz Sterna пишет:
> > With this release jabberd2 joins HTTP realm with WebSocket client
> 
> It need http-parser for websockets, but configure doesn't check it.

It does check it, when you do:
./configure --enable-websocket

The bug that http_parser.h gets included even when websocket is not
enabled is already fixed:
https://github.com/jabberd2/jabberd2/commit/b861b9c72adc732cbdfbac4eb8a4205126227f6b


P.S. It's better to report bugs via GitHub, than the ML.
https://github.com/jabberd2/jabberd2/issues/new


-- 
 /o__ 
(_<^' Whom the gods wish to destroy they first call promising.

jabberd-2.3.4 release

[Tomasz Sterna]

Next jabberd2 release is available.

Get 2.3.4 release at GitHub: https://github.com/jabberd2/jabberd2/releases


This is a major feature release with a bit of bugfixes.

With this release jabberd2 joins HTTP realm with WebSocket client
connections handling built in C2S module! :-)


Changes:
 * Rewrite TLS ephemeral key + cipher handling
 * Recover Berkeley DB before opening it
 * bcrypt support for PostgreSQL
 * Option to set authreg module per realm
 * AuthReg ANONYMOUS does not offer password check
 * Answer to disco#info queries to user JID
 * WebSocket C2S SX plugin

For a full change log see: 
https://github.com/jabberd2/jabberd2/commits/jabberd-2.3.4




-- 
 /o__ 
(_<^' Schshschshchsch.

Re: Message injection

[Tomasz Sterna]

Dnia 2015-09-01, wto o godzinie 09:23 -0600, Kyle Waters pisze:
> I'm able to insert a message into the queue table and have it pop up 
> for a user the next time they log in.  Is there a way to submit a 
> message and have it show up immediately for a logged in user with out 
> going through client authentication

jabberd2 was never designed to allow messing with storage directly.
storage module is opaque and you should not touch it bypassing the
daemon.

It's not that hard to connect the daemon over a client or component
connection to inject a message. [1]


[1] http://stackoverflow.com/questions/170503/commandline-jabber-client


-- 
 /o__  Talking about a piece of movie dialogue: Let's have some new
(_<^'  cliches. -Samuel Goldwyn

Re: testing jabberd2 TLS with openssl s_client

[Tomasz Sterna]

Dnia 2015-05-08, pią o godzinie 22:47 +0200, Guenther Kuenzel pisze:
> what i expect is a dump of the certificate chain, like it is with all
> other protocols which are supported by openssl s_client.
> any ideas?

Misconfigured server?

With my server it works just fine...

23:34 ~ $ openssl s_client -CApath /etc/ssl/certs -starttls xmpp -connect 
chrome.pl:5222
CONNECTED(0003)
depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN 
= StartCom Class 1 Primary Intermediate Server CA
[...]
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom 
Class 1 Primary Intermediate Server CA
 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom 
Class 1 Primary Intermediate Server CA
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom 
Certification Authority
[... and so on ...]
> 


-- 
 /o__ Q: How do you stop an elephant from charging?
(_<^' A: Take away his credit cards.


signature.asc
Description: This is a digitally signed message part

Re: jabberd-2.3.3 release

[Tomasz Sterna]

Dnia 2015-04-14, wto o godzinie 15:26 +0200, Matěj Cepl pisze:
> Are there any release notes? Are there any changes, upgrade 
> path? Should the packagers in Linux distros be concerned about 
> something?

As usual https://github.com/jabberd2/jabberd2/blob/master/NEWS

I am quoting latest paragraph of NEWS in the release announcement.


-- 
 /o__ "`Credit?' he said. `Aaaargggh...'
(_<^' These two words are usually coupled together in the Old 


signature.asc
Description: This is a digitally signed message part

jabberd-2.3.3 release

[Tomasz Sterna]

Next jabberd2 release is available.

Get 2.3.3 release at GitHub: https://github.com/jabberd2/jabberd2/releases


This is a bugfix release with a bit of new features added.


Changes:
- Support for RSA/DH/ECDH key agreement
- bcrypt support for MySQL storage
- C2S per session user data & authreg auth API extensions
  for custom authreg backends
- Option to provide a custom the openssl library path

For a full change log see: 
https://github.com/jabberd2/jabberd2/commits/jabberd-2.3.3




-- 
 /o__ Q: How many IBM CPU's does it take to do a logical right shift?
(_<^' A: 33. 1 to hold the bits and 32 to push the register.

Re: STARTTLS connection on jabberd2

[Tomasz Sterna]

Dnia 2015-02-26, czw o godzinie 12:00 +0100, Matěj Cepl pisze:
> https://bugzilla.redhat.com/show_bug.cgi?id=1179229. What do you think
> about my comment 3 and the attached patch?

I have no idea.
My knowledge of TLS is close to vague.


-- 
 /o__ Q: What do monsters eat?
(_<^' A: Things.

Re: XEP-0138 uncontrolled resource consumption ???

[Tomasz Sterna]

Dnia 2015-02-26, czw o godzinie 01:38 +0100, Matěj Cepl pisze:
> could anybody confirm that 
> http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/
>  

As you can see at
https://github.com/jabberd2/jabberd2/blob/f6225f9cc5af93835285a0a788479978d271ee38/sx/io.c#L64
 stanza_size_limit is enforced on unencrypted/uncompressed bare stanza data.
So if the lower layer (sx compress plugin) feeds too much data, the
connection is torn down.


-- 
 /o__ Q: How do you stop an elephant from charging?
(_<^' A: Take away his credit cards.

Re: STARTTLS connection on jabberd2

[Tomasz Sterna]

Dnia 2015-02-26, czw o godzinie 01:09 +0100, Matěj Cepl pisze:
> pemfile="/etc/pki/tls/certs/luther.ceplovi.cz-intermediate.crt"

.crt suggests that this is certificate only.
You need a .pem with full chain of all certificates from the CA, to your
certificate (if not present in global ca-certificates) and a private
key, concatenated together in one file.



-- 
 /o__  Talking about a piece of movie dialogue: Let's have some new
(_<^'  cliches. -Samuel Goldwyn

Re: Some users cannot connect after upgrade from 2.2.17 to 2.3.2

[Tomasz Sterna]

Dnia 2014-12-21, nie o godzinie 20:44 +0100, Eric Koldeweij pisze:
> Sun Dec 21 14:00:38 2014 c2s.c:439 pre-session packet, bye
> Sun Dec 21 14:00:38 2014 [notice] [20] packet sent before session
> start, closing stream

IIRC this is a buggy behavior of libpurple based clients (ie. Pidgin),
which start the session, but do not wait for session establishment and
send more packets immediately after.




-- 
Tomasz Sterna   :(){ :|:&};:
Instant Messaging Consultant   Open Source Developer 
http://abadcafe.pl/  http://xiaoka.com/portfolio



signature.asc
Description: This is a digitally signed message part

Re: BOSH -> XMPPoWS

[Tomasz Sterna]

Dnia 2014-09-12, pią o godzinie 09:29 +0200, Marek Červenka pisze:
> > Does jabberd2 accept '=' in final digest-md5 response?

IIRC there was a bug reported for this, and it was already fixed long
time ago...


> solved
> it was not on the jabberd2 side

Glad to hear that. :-)

Re: jabberd2 web presence

[Tomasz Sterna]

Dnia 2014-09-04, czw o godzinie 16:14 +0200, Marek Červenka pisze:
> added to
> https://github.com/jabberd2/jabberd2/wiki/WebPresence (addons)

Thanks.
I added a note about webstatus resource.


-- 
Tomasz Sterna   :(){ :|:&};:
Instant Messaging Consultant   Open Source Developer 
http://abadcafe.pl/  http://xiaoka.com/portfolio



signature.asc
Description: This is a digitally signed message part

Re: jabberd2 web presence

[Tomasz Sterna]

Dnia 2014-08-28, czw o godzinie 21:24 +0200, Marek Červenka pisze:
> can you recommend plugin for web presence for jabberd2?
> something like http://www.jabbim.com/services-status-icon.html

No need for a plugin.
Built-in mod_status stores user presence in 'status' table.
You just need to build a web frontend for this table.

Re: xhash and it's key

[Tomasz Sterna]

Dnia 2014-08-28, czw o godzinie 17:51 +, Shawn Debnath pisze:
> The problem is that it breaks scenarios where the user may
> use a temp buffer to build the key, then insert or put it in the xhash
> and then free the buffer memory.

This is invalid use of xhash.

> Assumption here is that xhash code 
> would allocate necessary buffer to store internal data and not rely on
> user supplied memory to maintain it=A9=F6s internal data structures.

There is no such assumption.
It's a gotcha waiting for every new jabberd2 dev. ;-)

> Any ideas if there was a particular reason this was designed this way? I
> imagine, in most of the cases the key is inside the object being stored
> so it works out.

This is for efficiency reasons.
Strings in jabberd are usually coming from incoming NADs (notice
xhash_putx() taking the len of the key) or being allocated in memory
pools associated with objects.
It would be a waste of memory and CPU to make a copy each time an object
gets stored in hash or removed from hash.
Also, when these strings are part of the object they identify, memory
management is as easy as freeing the object and it's associated memory
pool (assuming it was already removed from all its references including
xhashes).

> However, as you can see, the xhash implementation
> can¹t be fully exploited/used.

The fact you are allocating object identifier strings on stack/heap is a
sign of bad design.
Could you rethink your design to include the identifier as a part of the
object it names?

Re: c2s per session user data & authreg auth API extension

[Tomasz Sterna]

Dnia 2014-08-14, czw o godzinie 23:45 +, Shawn Debnath pisze:
> I have modified the
> APIs to pass sess_t and then the implementation can choose to pack it
> in their private authreg_private data if they so choose.

WFM :-)


-- 
Tomasz Sterna   :(){ :|:&};:
Instant Messaging Consultant   Open Source Developer 
http://abadcafe.pl/  http://xiaoka.com/portfolio



signature.asc
Description: This is a digitally signed message part

Re: c2s per session user data & authreg auth API extension

[Tomasz Sterna]

Dnia 2014-08-14, czw o godzinie 16:20 +, Shawn Debnath pisze:
> I would change all the APIs and to pass in a pointer to the sess_t as
> I also need it in check_passsword.

I would advise to include sess_t* in authreg_private then.

It's OK for authreg to dig around session data, but the API should be
flexible enough to give option to pass anything as authreg_private, not
only sess_t*.


-- 
Tomasz Sterna   :(){ :|:&};:
Instant Messaging Consultant   Open Source Developer 
http://abadcafe.pl/  http://xiaoka.com/portfolio



signature.asc
Description: This is a digitally signed message part

Re: c2s per session user data & authreg auth API extension

[Tomasz Sterna]

Dnia 2014-08-14, czw o godzinie 04:27 +, Shawn Debnath pisze:
> - Build a hash table of relevant data and store it in the authreg_t
>   private data member.

Agreed, that needed internal bookkeeping makes it not feasible.


> - Retrofit existing interfaces with the necessary data.
>   a. Introduce void *sess_private in sess_t.

It's not really sess_private, but authreg_private, right?


>   int (*create_challenge)(authreg_t ar, sess_private *data,
> const char *username, const char *realm, const char *challenge,
> int maxlen);
>   int (*check_response)(authreg_t ar, sess_private *data,
> const char *username, const char *realm, const char *resource,
>  const char *challenge, const char *response);
> 
>   Pros: Maintain same methods but new parameters, faster approach.
>   Cons: (BIG)breaks everyone out there. In some cases, other 3rd parties
> may want similar mechanism for plain text login as well and this
> approach wouldn't work for them.

Agreed.
I think we should extend all authreg calls with a pointer to session
attached, authreg private data.
In the simplest case it could be even set to point to sess_st, for the
mechanizm to dig in session by itself.
This is how it is done all around jabberd2.

Also good point, that create_challenge misses realm parameter.

If we go for it, we will just release 2.4.x line which hints API
breakage. ;-)


>   /* Extension for custom authentication providers */
>   int (*custom_auth_get)(authreg_t ar, authdata_t data);
>   int (*custom_auth_set)(authreg_t ar, authdata_t data);

I don't like this approach for two reasons.
- custom_auth does not really mean anything. as it is now it is clean -
either we have password verification, or challenge/response.
- custom_auth is used in "ar_mechs & AR_MECH_TRAD_CRAMMD5", so it is not
really custom, but CRAM-MD5, right?


Let's just implement CRAM-MD5 properly, with all needed features, even
if it means API changes.
We're open source - we are not afraid to change things. :-)

-- 
smk

Re: Clustering support

[Tomasz Sterna]

Dnia 2014-08-04, pon o godzinie 17:44 +0530, Kumar Deepak pisze:
> Are you suggesting, I shall run single instance of "Router" and run
> multiple instance of other components (SM, S2S & C2S).

Yes.

> In this case, "router" will be under load and will become critical ?
> How do we load balance "router" ? 

We don't. In currently released jabberd2 router cannot be duplicated.

Support for router mesh is in the works though.
https://github.com/jabberd2/jabberd2/tree/mesh


-- 
Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/

Re: Clustering support

[Tomasz Sterna]

Dnia 2014-08-04, pon o godzinie 16:49 +0530, Kumar Deepak pisze:

> Does Jabberd2 support clustering ?

Depends how you define clustering.

jabberd2 supports load-balancing of components.

You can run many instances of c2s and sm servicing one domain.
You can run many instances of s2s component distributing s2s traffic
load.
Also, legacy components can be load-balanced - i.e. you can connect many
instances of the same transport for same transport domain.


>  Can please point me to relevant links ?

What do you mean?
There isn't anything to document or describe, besides what I just
said. ;-) It just works...

I could point you to the code implementing it, but I doubt was that your
point? ;-)


-- 
Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/

Re: re： Hello guys, iencounteraproblem,call for help

[Tomasz Sterna]

Dnia 2014-07-07, pon o godzinie 12:41 +0800, 304747446 pisze:
> the output of ./configure is in the configure.txt 

How about
./configure --enable-sqlite

Please attach generated config.log instead manually copying output.



-- 
Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/

Re: 回复： 回复： 回复： 回复： Hello guys, i encounteraproblem,call for help

[Tomasz Sterna]

Dnia 2014-07-01, wto o godzinie 15:10 +0800, 304747446 pisze:
> hello, today i checked the Makefile under the storage directory
> carefully and i find that there is no compile instruction for the
> storage_sqlite.c, i think this is the cause that no storage_sqlite.so
> is built.

Please do:
./configure --enable-sqlite && make clean && make && make install

Dissecting autotools build like this is not recommended.


-- 
Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/

Re: 回复： 回复： 回复： Hello guys, i encountera problem,call for help

[Tomasz Sterna]

Dnia 2014-06-25, śro o godzinie 16:06 +0800, 304747446 pisze:
> then go to the "storage" directory and rebuild, but there is also no
> "libstorage_sqlite.so" file to be generated...

a) it's "storage_sqlite.so" not "libstorage_sqlite.so"
b) modules are built in a hidden subdirectory storage/.libs


-- 
Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/

Re: 回复： 回复： Hello guys, i encountera problem, call for help

[Tomasz Sterna]

Dnia 2014-06-25, śro o godzinie 10:50 +0800, 304747446 pisze:
> so i turn to the jabberd-2.3.2/storage directory and input "make",but
> there is no "storage_sqlite.so" to be built.

Did you enable SQLite during configure?

./configure --enable-sqlite


-- 
Tomasz Sterna:(){ :|:&};:
Instant Messaging ConsultantOpen Source Developer 
http://abadcafe.pl/   http://www.xiaoka.com/portfolio


signature.asc
Description: This is a digitally signed message part

Re: 回复： Hello guys, i encounter a problem, call for help

[Tomasz Sterna]

Dnia 2014-06-24, wto o godzinie 16:14 +0800, 304747446 pisze:
> 
>  

You're logging to syslog.
Change it to 'file' and make sure you have /usr/local/var/jabberd/log
directory created.

> /usr/local/var/jabberd/log/sm.log



-- 
Tomasz Sterna:(){ :|:&};:
Instant Messaging ConsultantOpen Source Developer 
http://abadcafe.pl/   http://www.xiaoka.com/portfolio


signature.asc
Description: This is a digitally signed message part

Re: Hello guys, i encounter a problem, call for help

[Tomasz Sterna]

Dnia 2014-06-16, pon o godzinie 15:36 +0800, 304747446 pisze:
> The error message showed in the terminal is "sm died"

What does sm.log say?


-- 
Tomasz Sterna:(){ :|:&};:
Instant Messaging ConsultantOpen Source Developer 
http://abadcafe.pl/   http://www.xiaoka.com/portfolio


signature.asc
Description: This is a digitally signed message part

Re: How to configure cipher suites and protocols

[Tomasz Sterna]

Dnia 2014-04-10, czw o godzinie 00:29 +, Joe Malcolm pisze:
> How do you do it in 2.3.x?

./configure --enable-experimental


> Is there a way to specify an OpenSSL ciphers string?

No. It's hardcoded.

Re: Roster module with custom MySQL requests

[Tomasz Sterna]

Dnia 2014-04-01, wto o godzinie 15:56 +0200, Sylvain Guglielmi pisze:
> Is it safe/better/not a good idea to deactivate the active plugin from
> every chain (user_load; user_create; user_delete) ?

It's main function is to drop messages to unexisting users instead of
storing them in offline messages store.
If you remove it, you are potentially vulnerable to DoS attack filling
your offline storage database with messages for bogus users.


-- 
Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/

Re: Roster module with custom MySQL requests

[Tomasz Sterna]

Dnia 2014-04-01, wto o godzinie 12:14 +0200, Sylvain Guglielmi pisze:
> The problem is :
> - When an user connects to jabberd2 for the first time, the 
> active,logout... tables are empty, and the roster is already filled.
> - The code in dispatch.c : 130 states that "if one of the user_load 
> module fails, an unsuscribed-packet will be sent", presumably to clean
> the user's rosters on every session by removing this "unknown
> contact".

Just remove 'active' module from 'user-load' chain in your sm.xml.

You may want to implement the fail-if-not-exist function in your own
roster module in this chain.


-- 
Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/

Re: create publish node with idavoll + jabberd2?

[Tomasz Sterna]

Dnia 2014-02-24, pon o godzinie 17:03 +0800, li wang pisze:
> Thanks greatly, do you mean I should use:  pubsub.testdomain.com as
> the domain name? does I have to configure my nameserver to direct it?

You can use whatever name you want as long as it stays inside your
server.
You have to make it resolvable to your s2s address if you want it to be
reachable from other servers.



-- 
Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/

jabberd-2.3.2 release

[Tomasz Sterna]

Next jabberd2 release is available.

Get 2.3.2 release at GitHub: https://github.com/jabberd2/jabberd2/releases


This is a minor bugfix release with a bit of new features added.


Changes:
  * Removed unmaintained CyrusSASL backend
  * Option to add realm to username in ldapvcard module
  * systemd unit files

For a full change log see: 
https://github.com/jabberd2/jabberd2/commits/jabberd-2.3.2



-- 
Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/

Re: create publish node with idavoll + jabberd2?

[Tomasz Sterna]

Dnia 2014-02-22, sob o godzinie 12:50 +0800, charlesw123...@gmail.com
pisze:
> 2014-02-18 13:38:55+0800 [XmlStream,client] RECV: " version='1.0'?> xmlns:stream='http://etherx.jabber.org/streams'
> xmlns='jabber:component:accept' from='pubsub'
> id='nzkwecg6kccx6zuhslvehvtli6blyfumffiurz0c'>" 

Your idavoll component is configured at "pubsub" domain.


> And them I use my client to issue the following request after login:
> SEND:  xmlns='http://jabber.org/protocol/pubsub'> node='tnode'/>

so, you need to send your queries to="pubsub" domain, not
'test.testdomain.com' servers domain.


-- 
Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/

Re: Ldapvcard + roster

[Tomasz Sterna]

Dnia 2014-02-18, wto o godzinie 22:25 +0100, Oriol Mula-Valls pisze:
> Now that I have submited the patch for ldapvcard, how can I find out 
> whats happening with deletes using roster publish?

First thing would be
./configure --enable-debug
and run sm with -D switch.
Then you will see exactly what is happening.


-- 
Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/

Re: systemd unit files

[Tomasz Sterna]

Dnia 2014-02-14, pią o godzinie 14:23 +0100, Adrian Reber pisze:
> I have a simple patch which includes the systemd unit files from the
> fedora package into jabberd2 at:

Thanks.
Merged in 49d48df0f6b6b1d35cf96930644f03b6db66e0d4


-- 
Tomasz Sterna:(){ :|:&};:
Instant Messaging ConsultantOpen Source Developer 
http://abadcafe.pl/   http://www.xiaoka.com/portfolio

Re: Ldapvcard + roster

[Tomasz Sterna]

Dnia 2014-02-13, czw o godzinie 17:14 +0100, Oriol Mula-Valls pisze:
> Which solutions is better from your point of view? My knowledge of the
> xmpp standard is little. I can try to make the patches and test them
> on our infrastructure.

This does not really have anything to do with XMPP standard.
For XMPP user authentication is opaque and abstracted to SASL.

It's a job of SASL backend (in this case based on LDAP) to verify user
credentials, and once SASL says you are a JID you are pretending to be,
you are in.

Having said that, I will mention that I have not much experience with
LDAP and the one I have is rusty.
Thus I still have your proposed patch pending review, as on a first
brief look through, I couldn't decide it's validity.

Please do work on LDAP backend in whatever way pleases you.
If you keep backward compatibility, I will gladly accept patches adding
new functionality. (Preferably via GitHub pull request.)

Also please do discuss your concerns on this mailing list, as others may
have viable experience; but addressing these to me personally may
discourage others joining in to the discussion. ;-)

P.S. I need to mention, that I would be rapturous if someone would
finally merge both LDAP backends to one.


-- 
Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/

Re: Roster publish

[Tomasz Sterna]

Dnia 2014-02-10, pon o godzinie 18:00 +0100, Oriol Mula-Valls pisze:
> After setting it to 0 I expect the user to disappear from the clients.
> I have tried to relogin to the jabberd2 server but even after that the
> contact still appears.

Did you enable ?
If so, it will add contacts to user normal roster and they will need
manual deletion.

Also if user edits the contacts details, it will be stored in normal
roster.


-- 
Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/

Re: s2s throws coredump with new version of udns-0.3

[Tomasz Sterna]

Dnia 2014-01-20, pon o godzinie 12:02 +0100, Marcin Mirosław pisze:
> warning: Could not load shared library symbols for linux-vdso.so.1.
> Do you need "set solib-search-path" or "set sysroot"?

This suggests problems with your local library installation.
Check 'ldd' on libudns.so, i.e.:

$ ldd /usr/lib64/libudns.so.0
linux-vdso.so.1 =>  (0x7fffcf8b6000)
libc.so.6 => /lib64/libc.so.6 (0x7f59ae59b000)
/lib64/ld-linux-x86-64.so.2 (0x003cde60)

Re: How to configure cipher suites and protocols

[Tomasz Sterna]

Dnia 2014-01-13, pon o godzinie 13:29 +0100, MacLemon pisze:
> I want to disable SSLv3 in favour of TLSv1 only. (Apple jabberd2 is
> linked against a pre-historic OpenSSL 0.9.8 so it doesn't support TLS
> 1.2.) I also want to get rid of weak ciphers and try to enable forward
> secrecy handshake namely DHE.

It's not possible in 2.2.
You need at least 2.3.0 for this.

Re: Roster module with custom MySQL requests

[Tomasz Sterna]

Dnia 2014-01-10, pią o godzinie 13:54 +0100, Sylvain Guglielmi pisze:
> My question : Should I add a "timetick" chain to the SM (called every
> second for example), and add my module to this chain (with a rate_t
> check) ? I'm not thrilled by this solution, because for now, I haven't
> changed any code from jabberd2 except from the new module, which make
> it easier to test or get in production. Is there another, better way ?

You could have a separate "cron" component pinging 'sm' in regular
intervals with special route packet, and handle this special packet in
'in-router' chain of your module.

Having that it could even be done not in regular intervals, but
on-demand, when your component gets triggered by web frontend.

Re: push notification system (pns)

[Tomasz Sterna]

Dnia 2014-01-09, czw o godzinie 22:00 +0530, Kumar Deepak pisze:

> 1. User A is running xmpp client at his iPHONE
> 2. User B is running xmpp client at his desktop
> 3. User B sends message to A, but A's xmpp client is either not
> running or running in background.

At pt.1 you stated that A's xmpp client is running, so this condition
contradicts pt.1

> 4. Server stores the message for later delivery.

This would happen if A's client is not connected. So I guess that
'running' does not necessary mean 'connected'.

> 5. Server informs A by sending a message using apple push notification
> infrastructure.
> 6. User A accepts the push and A's xmpp client connects to server and
> server delivery the message to A.

Ok. 'Running' definitely does not mean 'connected'.


Your goal would be best accomplished by hooking to offline storage
module, or using completely custom offline storage module, that sends
notification every time it stores a message offline for later delivery.

Re: push notification system (pns)

[Tomasz Sterna]

Dnia 2014-01-09, czw o godzinie 09:07 +0530, Kumar Deepak pisze:

> I was thinking to integrate push notification system to inform about
> incoming messages for xmpp clients. Clearly, the case comes when
> clients become unavailable on mobile client.

I don't quite clearly understand what you need.

IIRC you would like a method to notify a disconnected client, that there
are pending offline messages waiting and it needs to connect to get
these;
am I right?



-- 
Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/