Re: Stepping down

2018-01-21 Thread Tomasz Sterna
W dniu nie, 21.01.2018 o godzinie 15∶01 +0100, użytkownik Alexandre
Jousset napisał:

>   Has anyone already shown interest to become the new maintainer?

Nope.
As you can see on GitHub, activity recently was close to none.


>   I don't know if I'm skilled enough but instead of letting it
> die, I would like to become the maintainer if nobody with better
> skills wants to :-)

Judging by your contributions to jabberd2, I see no problem in passing
the project to you.


>   BTW I was recently doing some load test and having thought
> about solving the SPOF of the router process, [...]

We already had a _lengthy_ discussion on list on my vision how to
multiply the router:
https://www.mail-archive.com/jabberd2@lists.xiaoka.com/msg01909.html

Your work still lives in:
https://github.com/jabberd2/jabberd2/tree/mesh


But my latest approach was to ditch the router component in favor to
message bus (using 0MQ). See discussion at
https://gitter.im/jabberd2/jabberd2?at=56b8b4e9939ffd5d15f671e1

This is what https://github.com/jabberd2/jabberd2/commits/ashnazg
branch implemented and jabberd3 code (which was born of ashnazg branch) was 
going for.


>   In any case I wish you the best for the future :-)

Thanks. ☺





Re: Stepping down

2018-01-21 Thread Tomasz Sterna
W dniu nie, 21.01.2018 o godzinie 01∶34 +0100, użytkownik Matěj Cepl
napisał:
> On Sat, 2018-01-20 at 23:57 +0000, Tomasz Sterna wrote:
> > - https://github.com/smokku/jabberd3
> > - https://github.com/smokku/traffx
> 
> But both of these projects are already dead, aren't they? (You
> seemed to indicate you are leaving XMPP world as such)

I won't be developing these anymore, (in fact I wasn't for some time
now), thus there is no reason for these to sit on my HDD.

I opened the source so anyone could pick it up and make something
usefull of these.






Stepping down

2018-01-20 Thread Tomasz Sterna
Hello.

This e-mail is to make it official, that I am stepping down as a
maintainer of jabberd2 project.

Over the years my interests drifted away from Jabber/XMPP and in fact I
wasn't contributing much to the project lately.
I did my best to accept the submissions, but not much more.
This situation does not benefit the project, nor me, so it is time to
oficially step down.

Directly related to this, I will be shutting down all my XMPP related
services - including this mailing list, as the virtual machine hosting
it is going away. It is financed up to end of February, so expect it to
go down during March 2018.


As a consolation, I am opening the source of other XMPP servers I've
been working over the years. These are provided as-is at the current
stage of development. Both are working and able to participate in XMPP
Federation.

- https://github.com/smokku/jabberd3
  my work to modernize jabberd2 and merge some of jabberd14 code

- https://github.com/smokku/traffx
  Node.js/node-xmpp based server to be deployed in The Cloud


This was hell of a journey. 
Best regards to all I crossed paths with and best wishes.


-- 
smoku @ http://abadcafe.pl/ @ http://xiaoka.com/





Re: WebSocket port?

2017-12-25 Thread Tomasz Sterna
W dniu sob, 23.12.2017 o godzinie 17∶05 -0500, użytkownik James
Bellinger napisał:
> I added  to the c2s configuration, but as far as I can
> tell, no new ports are open and nothing has changed.
> 
> How do I specify a port etc. for wss:// ?

jabberd2 autodetects HTTP on standard C2S port.

It was mostly usefull to listen C2S on 80/443 to bypass firewalls and
redirect real HTTP connections to real HTTP server.

This mechanism allows now to autodetect WebSocket on standard C2S port.
So you just use ws://example.com:5222/ and wss://example.com:5223/
As simple as that.

Of course you can enable C2S listener on any non-standard port like
5280 etc.





-- 
smoku @ http://abadcafe.pl/ @ http://xiaoka.com/




Re: disable TLS 1.0

2017-07-21 Thread Tomasz Sterna
W dniu czw, 20.07.2017 o godzinie 14∶48 +0300, użytkownik Alexander
Velin napisał:
> How does one configure available SSL protocols (not ciphers), in 
> particular, to disable TLS 1.0 and leave only 1.1 and 1.2 ?

You need to compile with ./configure --enable-experimental flag.

https://github.com/jabberd2/jabberd2/commit/ee0f2ce8b148f0476ee9c41c071873c79751c0d9#diff-a4bd824bd7667649eaaadceaf81d55efR661


-- 
 /o__ 
(_<^' You're already carrying the sphere!




jabberd-2.6.1 release

2017-07-01 Thread Tomasz Sterna
It is time for next jabberd2 release.

Get 2.6.1 release at GitHub:
https://github.com/jabberd2/jabberd2/releases


This is a security bugfix release.

Make sure to read the NEWS before upgrade:
https://github.com/jabberd2/jabberd2/blob/jabberd-2.6.1/NEWS


This release fixes a bug allowing anyone to authenticate using SASL
ANONYMOUS, even when sasl.anonymous c2s.xml option is not enabled.

https://github.com/jabberd2/jabberd2/commits/jabberd-2.6.1







-- 
smoku @ http://abadcafe.pl/ @ http://xiaoka.com/




ANONYMOUS auth bug

2017-07-01 Thread Tomasz Sterna
Current 2.6.0 release has some kind of bug, that allows ANONYMOUS login
even when sasl.anonymous is disabled in c2s.xml.

Yesterday I noticed, that spammers are using this bug to send spam via
my server, using ANONYMOUS logins.

I am working on a fix.
This mail is to serve as a warning.

I've been able to workaround this bug by disabling "auto-create" in
sm.xml, so the spammer can log in ANONYMOUS, but is not able to create
SM session for not-existing account.

Will keep you informed about a progress of the fix.


-- 
smoku @ http://abadcafe.pl/ @ http://xiaoka.com/




jabberd-2.6.0 release

2017-05-28 Thread Tomasz Sterna
It is time for next jabberd2 release.

Get 2.6.0 release at GitHub:
https://github.com/jabberd2/jabberd2/releases


This is a bugfix release.

Make sure to read the NEWS before upgrade:
https://github.com/jabberd2/jabberd2/blob/jabberd-2.6.0/NEWS


Changes:
 * Better SASL error messages

https://github.com/jabberd2/jabberd2/commits/jabberd-2.6.0






-- 
smoku @ http://abadcafe.pl/ @ http://xiaoka.com/




jabberd-2.6.0 release

2017-05-28 Thread Tomasz Sterna
It is time for next jabberd2 release.

Get 2.6.0 release at GitHub:
https://github.com/jabberd2/jabberd2/releases


This is a bugfix release.

Make sure to read the NEWS before upgrade:
https://github.com/jabberd2/jabberd2/blob/jabberd-2.6.0/NEWS


Changes:
 * Better SASL error messages

https://github.com/jabberd2/jabberd2/commits/jabberd-2.6.0






-- 
smoku @ http://abadcafe.pl/ @ http://xiaoka.com/




New website look

2017-01-07 Thread Tomasz Sterna
Hello.

I got bored with the look of http://jabberd2.org which was something
looking like taken straight from the 80s ;-), so I took an attempt of
making it more modern.

Hope you like it.


-- 
smoku @ http://abadcafe.pl/ @ http://xiaoka.com/

signature.asc
Description: This is a digitally signed message part


jabberd-2.5.0 release

2017-01-05 Thread Tomasz Sterna
It is about time for next jabberd2 release.

Get 2.5.0 release at GitHub:
https://github.com/jabberd2/jabberd2/releases


This is a bugfix release.

Make sure to read the NEWS before upgrade:
https://github.com/jabberd2/jabberd2/blob/jabberd-2.5.0/NEWS


Changes:
 * Do not attempt to reload SM modules on SIGHUP
 * Cleanup config files example
 * Fixed memory leak in pgsql storage driver
 * Fixed two double-frees caused by dangling pointers
 * Fixed c2s logger initialization point

https://github.com/jabberd2/jabberd2/commits/jabberd-2.5.0



-- 
 /o__ Going to church does not make a person religious, nor does going to school
(_<^' make a person educated, any more than going to a garage makes a person a 
car.

signature.asc
Description: This is a digitally signed message part


Re: sm crashing on startup

2017-01-04 Thread Tomasz Sterna
W dniu 03.01.2017, wto o godzinie 23∶35 -0500, użytkownik Greg Troxel
napisał:
>  Jabberd mostly works fine, but on boot sm
> crashes.  I have adjusted sequencing, although in theory it should
> not matter

Does 48125019 [1] fix your issue?


[1] 
https://github.com/jabberd2/jabberd2/commit/48125019452e291b2c57275c789f3d7df87d7146


-- 
 /o__ 
(_<^' Good teaching is one-fourth preparation and three-fourths good theatre.




Re: Stale c2s connection leads to loosing messages without any notice

2016-09-28 Thread Tomasz Sterna
W dniu 28.09.2016, śro o godzinie 15∶15 +0200, użytkownik Deweloper
napisał:
> IMHO in step 2 server should notice an error sending message to Bob 
> (detect stale connection), change it's state to "offline" and store
> the message for further delivery.

By design how TCP works, it is possible to detect a broken connection
only by writing to that connection.
And one write is not enough, because it will succeed even on half-
closed connections, as the bytes are passed to network buffers and sent
over the wire successfully.


> If that's impossible due to very long timeout, then the messages
> should still be kept in storage unless client acknowledges their
> receipt,

Unfortunately, there is no such feature built into XMPP.
If the message gets lost in transit, it is just gone. With no feedback.

You need to do active, client side acking as in XEP-0184 [1]. And then
it is the client responsibility to resend unacked messages.


> Or, at least, Alice should get "undelivered message" errors in step 4

Also, no such feature in XMPP.
The server has no way of knowing whether the message reached the
destination, without active recipient's application level cooperation.


> 
> Sadly, with the current approach the communication is simply
> unreliable.

Unfortunately, this is how it is.
TCP does not guarantee delivery [2] and so does not XMPP binding to
TCP.


[1] http://xmpp.org/extensions/xep-0184.html
[2] http://lkml.iu.edu/hypermail/linux/kernel/0106.1/1154.html

-- 
 /o__ "Zaphod grinned two manic grins, sauntered over to the bar 
(_<^' and bought most of it." 

signature.asc
Description: This is a digitally signed message part


Re: stale connections, keepalive?

2016-08-29 Thread Tomasz Sterna
W dniu 29.08.2016, pon o godzinie 12∶41 -0400, użytkownik Greg Troxel
napisał:
> dropping idle connections from its NAT table without
> > telling anyone, so later when mobile network closed a connection it
> > silently dropped RST packets not knowing who to NAT them to. [...]
> Are you saying that a cell provider tracks TCP state and when the
> data connection is lost sends RST packets for open connections?

I am blissfully oblivious to inner workings of wide area switching
networks, but it sure looked like so when I was investigating the
dangling connections issue.

And a quick look at PDP_context[1] gives impression that it has
specific knowledge of the established connections.

[1] https://en.wikipedia.org/wiki/GPRS_core_network#PDP_context

-- 
 /o__ 
(_<^'  All generalisations are dangerous, including this one.

signature.asc
Description: This is a digitally signed message part


Re: stale connections, keepalive?

2016-08-29 Thread Tomasz Sterna
W dniu 28.08.2016, nie o godzinie 22∶45 +0200, użytkownik Christof
Meerwald napisał:

> > I'm not sure [...]
> 
> Are you sure? [...]





-- 
 /o__ 
(_<^' One good turn deserves another.




Re: stale connections, keepalive?

2016-08-28 Thread Tomasz Sterna
W dniu 27.08.2016, sob o godzinie 14∶55 -0400, użytkownik Greg Troxel
napisał:
>   should jabberd2 force TCP keepalive on?

I'm not sure whether it is possible.
At least on Linux it is a system-wide setting and requires root to
change.


>   should c2s (and s2s probably, but less likely to be an issue) close
>   client connections if it has not seen anything from the client in
> some time period, like 8h?
>   is there any expectation in the protocol that clients should be
> doing any application-level keep-alive?

jabberd2 has support for application layer keepalives.

See io.keepalive [1][2] options.
Setting this up will flush single whitespace character over the wire
when the connection dangs idle. This triggers the TCP layer connection
validation.


Having said that, I am running my server without both application layer
and TCP keepalives turned on and see no issues with dangling
connections.

But.. I had them a lot, when my server was behind a buggy Cisco router
doing NAT. It was dropping idle connections from its NAT table without
telling anyone, so later when mobile network closed a connection it
silently dropped RST packets not knowing who to NAT them to. This was
causing a lot of dangling connections on my server.

Maybe you should investigate your network before turning on keepalives
as they cause unnecessary data transfer and battery usage on the mobile
devices.


[1] https://github.com/jabberd2/jabberd2/blob/master/etc/c2s.xml.dist.in#L335
[2] https://github.com/jabberd2/jabberd2/blob/master/etc/s2s.xml.dist.in#L228

-- 
 /o__ Q: How many Zen masters does it take to screw in a light bulb?
(_<^' A: None. The Universe spins the bulb, and the Zen master stays out

signature.asc
Description: This is a digitally signed message part


Re: Future of jabberd

2016-05-31 Thread Tomasz Sterna
W dniu 30.05.2016, pon o godzinie 20∶05 +0200, użytkownik Tomasz Sterna
napisał:
> I am still not fond of the synchronous nature of storage interface,
> but changing this would require rewriting it from scratch.
> Also having an asynchronous interface for immediate in nature
> backends like file backend or BDB, would require arm twisting.

Let's have it in the open:
https://github.com/jabberd2/jabberd2/issues/120




-- 
smoku @ http://abadcafe.pl/ @ http://xiaoka.com/



signature.asc
Description: This is a digitally signed message part


Re: Future of jabberd

2016-05-31 Thread Tomasz Sterna
W dniu 31.05.2016, wto o godzinie 16∶31 +, użytkownik Shawn Debnath
napisał:
> Re 1. Merging separate daemons to one.
> I am not sure if merging them into one process is the best idea. It
> sure is convenient, but isolation is a nice thing to have. Specially,
> when you have unauthorized users hammering on C2S.

Oh. I wasn't clear on that.
You will have the option to choose which components you want to run in
process, so if you wish you can keep the current setup of having one
process for each component. Possibly on different machines.

I just want the simple setup to have the option to run all components
in one process.


-- 
smoku @ http://abadcafe.pl/ @ http://xiaoka.com/



signature.asc
Description: This is a digitally signed message part


Re: jabberd-2.4.0 release

2016-05-31 Thread Tomasz Sterna
W dniu 31.05.2016, wto o godzinie 00∶39 -0700, użytkownik
li...@lazygranch.com napisał:
> ./configure --with-extra-library-path /usr/local/lib --with-extra-
> include-path /usr/local/include
> yielded
> 
> checking build system type... /usr/local/lib
> configure: error: invalid value of canonical build

Double-dash options format is:
--long-option=value

So, you need:
./configure --with-extra-library-path=/usr/local/lib 
--with-extra-include-path=/usr/local/include


-- 
 /o__ In case of injury notify your superior immediately. He'll kiss it and
(_<^' make it better.






Re: Future of jabberd

2016-05-30 Thread Tomasz Sterna
W dniu 30.05.2016, pon o godzinie 10∶31 +0200, użytkownik Tomasz Sterna
napisał:
> 7. DBI interface to RDBM.

Just one more question.

Do you (ML) have a use case for having SM storage in SQL?
Is it just for distributed SM only?
Maybe it is not worth the effort and we should just drop it and embed
something like LMDB [1] in?

I do see value of having SQL backend for authreg, to integrate with
existing userbase, but SM storage? Does it really need to be
abstracted?


[1] https://en.wikipedia.org/wiki/Lightning_Memory-Mapped_Database

-- 
 /o__ 
(_<^'  The best cure for insomnia is to get a lot of sleep. -W.C. Fields



signature.asc
Description: This is a digitally signed message part


Re: Future of jabberd

2016-05-30 Thread Tomasz Sterna
W dniu 30.05.2016, pon o godzinie 12∶50 -0700, użytkownik
li...@lazygranch.com napisał:
> Do you really have to cache something in jabberd when the data can be
> pulled from the sql database? Sure the data has changed. But if you
> pull a fresh record each time, I don't see the issue.

Unfortunately RDBMs are notorious to be a choking point.
You just cannot fetch data over and over again and expect reasonable
preformance. This is the reason for raise of memcached, redis etc.

Also, see: https://metajack.wordpress.com/2008/08/26/choosing-an-xmpp-server/


-- 
 /o__ 
(_<^'  I must follow the people. Am I not their leader? -Benjamin Disraeli



signature.asc
Description: This is a digitally signed message part


Re: Future of jabberd

2016-05-30 Thread Tomasz Sterna
W dniu 30.05.2016, pon o godzinie 17∶38 +0300, użytkownik brahmann
napisał:
> Agree (web). [...] Its will be good for those who want it 
> but not in jabberd2 code inside.

I like how Cherokee web server does this:
It has a separate (written in Python) application for Web-based
configuration, which is started on-demand only for the time of the
configuration, listens on http://localhost:8090/ and is accessible with
one-time, generated password written to the console that started it.

Nevertheless this will require changes in how jabberd2 configuration is
handled, as the current state does not allow for runtime changes
without restarting the daemon.

The other approach is to allow restarting the daemon without loosing
user connections and sessions. But this could be even messier.


P.S. I usually start cherokee-admin via SSH and access it via ssh-
tunnel proxying remote machine localhost:8090 to my local machine
localhost:8090 :-)


-- 
 /o__ No discipline is ever requisite to force attendance upon lectures which 
are
(_<^' really worth the attending.



signature.asc
Description: This is a digitally signed message part


Re: Future of jabberd

2016-05-30 Thread Tomasz Sterna
W dniu 30.05.2016, pon o godzinie 15∶40 +0200, użytkownik Matěj Cepl
napisał:
>    https://metajack.wordpress.com/2008/08/26/choosing-an-xmpp-server/
>  
>    by heart, don't you? When doing large changes in the 
>    codebase, it would be probably prudent to take those 
>    objections into considertaion, especially database 
>    transaction “abuse”.

:-)
https://github.com/jabberd2/jabberd2/blob/master/etc/sm.xml.dist.in#L212

I am still not fond of the synchronous nature of storage interface, but
changing this would require rewriting it from scratch.
Also having an asynchronous interface for immediate in nature backends
like file backend or BDB, would require arm twisting.

But I do keep it in mind.



-- 
 /o__ "Zaphod grinned two manic grins, sauntered over to the bar 
(_<^' and bought most of it." 



signature.asc
Description: This is a digitally signed message part


Re: Future of jabberd

2016-05-30 Thread Tomasz Sterna
W dniu 30.05.2016, pon o godzinie 10∶00 -0700, użytkownik
li...@lazygranch.com napisał:
> That is one of the beauties of programs written around standard tools
> like ‎sql. You can hook into the database and add features, or not.

The issue with this approach is that SM component caches user data and
has no way of knowing that data was changed directly in database
backend.

http://martinfowler.com/bliki/TwoHardThings.html




-- 
smoku @ http://abadcafe.pl/ @ http://xiaoka.com/



signature.asc
Description: This is a digitally signed message part


Future of jabberd

2016-05-30 Thread Tomasz Sterna
There are some things we already talked about on Gitter channel [1],
but I would like to raise them on the ML for peer review.

As you can see from late activity, jabberd2 project is far from dead.
With the inclusion of new features like WebSocket support, C99 code
compatibility, IPv6 improvements, modern TLS handling, SASL Anonymous,
password hashing, CRAM-MD5 and more... it is not a stale codebase
anymore.

But it is far from modern too...
There are some changes I would like to introduce in the near future and
I would like to hear your thoughts about:

1. Merging separate daemons to one.
Current design of jabberd2 with separate router, sm, c2s, s2s processes
is designed to allow nice separation of concerns and distribution of
processing. Separate processes are proved to be better approach than
threads too.
But most installations of jabberd are not distributed, with one
instance of each component. Especially when c2s and sm got vhost
support and are able to handle more than one domain.
Also, modern OS architectures are tuned for event processing rather
than multithreading, so event based architecture is better suited for
them. Even jabberd2 process internally is event based on MIO.
So, it makes sense to allow for running all component instances in one
process, especially on amateur, low load servers.
Merging processes will allow for having one main loop only, so
maintaining bugfixes in it will be easier (main.c of all processes is a
copy-paste, with all the bugs, so bugs are also multiplied).

2. Phasing out MIO.
This is closely related to above. MIO used by jabberd2 does not have
clerar main loop support, which is implemented separately in each
component main.c and is hardly pluggable.
Also, the way MIO is implemented (in .h file, with platform specific
bits in .c) makes it a maintanance nightmare.
I would really like to replace it with a modern, upstream maintained
event library. The nicest one I know is libuv, which also gives us nice
platform independence layer.
I already have a working c2s port to libuv as a PoC.

3. Phasing out router.
router component is the one binding all the others.
In current design it is the single point of failure. Other components
already support multiple instances, but router proved to be difficult
to multiply.
The most radical, yet compelling solution to this problem is getting
rid of the router at all. There are many cooked solutions for local
packet distribution, which Local Message Bus [2] looks like most
promising solution. I would see either Mbus [3] or NN_BUS [4] taking
role of router component.
The added advantage of using a Message Bus is the ability to connect to
the bus with alternative implementations to perform own actions.
i.e. having the ability to use CLI tools to eavesdrop and send messages
to the bus proved to be priceless when I implemented a PoC of the Bus
in experimental jabberd branch.
Bus also solves the problem of distribution - it is up to the
deployment administrator whether one sets up local, one-machine only
bus or a network distributed one.

4. Configuration interface.
A the moment jabberd is configured with static XML files loaded at
daemon startup. It is close to impossible to change the values in
runtime, as random places of the process are using copies of values or
direct pointers to values from config structure.
This heavily impedes implementation of features such as XEP-0133
Service Administration or Web interface.
>From my experience, the best handling of such requirements is to
provide write-only/change-subscribe interface similar to GConf/dconf.
This interface does not allow reading on-demand of random values, but
allows only subscription to change and write-value + publish change.
This approach forces programmer to write value-change handlers in
application code, which allows changing the value by anyone at any
moment.
Do you know any standalone library that implements such approach,
or do I need to implement custom solution in jabberd codebase?

5. JavaScript support.
Let's face it - JavaScript is all the hype today :-) It also is a very
good language for data processing. I think it would be a good solution
for implementation of modern XEP logic in sm component.
sm is implemented in C with all RFC required logic, and all XEPs are
loadable modules to sm and these add JEP/XEP functionality.
Having an option to implement XEP logic in JS instead of plain C,
should speed up recent and experimental XEP adoption in jabberd.
This gives concerns to jabberd2 as an embedded server though - current
jabberd2 is perfectly able to work fine on low resource machines such
as DD-WRT router. Introducing heavy JS JIT machine could change that.
But with the raise of fast, embeddable JavaScript interpreters like
Duktape [5] it should be non-issue.

6. Proper logging.
jabberd2 has two logging facilities: log and debug_log, with log
logging only most interesting events and debug_log all the rest.
To aid debugging issues with your deployment you may enable 

Re: jabberd-2.4.0 release

2016-05-28 Thread Tomasz Sterna
W dniu 28.05.2016, sob o godzinie 11∶48 -0700, użytkownik
li...@lazygranch.com napisał:
> Right. But what exactly do I update?

Sorry... I am a Linux guy, not familiar with FreeBSD internals.

But I am pretty sure, FreeBSD also has some kind of dynamic linker.
Seek its documentation.


> I don't understand this:
> > remember to update /etc/ld.so.conf too
> Common issue is to build jabberd2 against libraries in non-standard
> path and then jabberd2 fails to run, because dynamic linker cannot
> find
> these libraries.
> This is a reminder, to update dynamic linker configuration file.



-- 
smoku @ http://abadcafe.pl/ @ http://xiaoka.com/



signature.asc
Description: This is a digitally signed message part


Re: jabberd-2.4.0 release

2016-05-28 Thread Tomasz Sterna
W dniu 27.05.2016, pią o godzinie 23∶57 -0700, użytkownik
li...@lazygranch.com napisał:
> I don't understand this:
> remember to update /etc/ld.so.conf too

Common issue is to build jabberd2 against libraries in non-standard
path and then jabberd2 fails to run, because dynamic linker cannot find
these libraries.
This is a reminder, to update dynamic linker configuration file.


-- 
smoku @ http://abadcafe.pl/ @ http://xiaoka.com/



signature.asc
Description: This is a digitally signed message part


Re: jabberd-2.4.0 release

2016-05-28 Thread Tomasz Sterna
W dniu 27.05.2016, pią o godzinie 19∶14 -0700, użytkownik
li...@lazygranch.com napisał:
> Do you have both expat and its headers installed?
> Verify headers:
> /usr/local/include
> 
> So is this a flag or environment variable I need to set?

Yes.

$ ./configure --help
[...]
  --with-extra-include-path
  use additional include paths
  --with-extra-library-path
  use additional library paths (remember to
update
  /etc/ld.so.conf too)



-- 
smoku @ http://abadcafe.pl/ @ http://xiaoka.com/



signature.asc
Description: This is a digitally signed message part


Re: jabberd-2.4.0 release

2016-05-27 Thread Tomasz Sterna
W dniu 27.05.2016, pią o godzinie 00∶09 -0700, użytkownik
li...@lazygranch.com napisał:
> Actually I had downloaded  jabberd-2.4.0.tar.gz. [...]
> Doing some internet search, it is suggested the procedure should be:
> aclocal
> automake --add-missing
> autoconf
> ./configure

Using jabberd-2.4.0.tar.gz you do not need to do autotools stuff.
Just:

./configure
make
sudo make install


> I get this error message:
> --
> checking for XML_ParserCreate in -lexpat... no
> configure: error: Expat not found

configure cannot find Expat [1].
Do you have both expat and its headers installed?

[1] http://www.libexpat.org/

-- 
 /o__ 
(_<^'  Honk if you are against noise pollution!



signature.asc
Description: This is a digitally signed message part


Re: jabberd-2.4.0 release

2016-05-26 Thread Tomasz Sterna
W dniu 26.05.2016, czw o godzinie 19∶46 -0700, użytkownik
li...@lazygranch.com napisał:
> This is from my attempt to compile the tar.gz file after doing
> autoreconf -i
> ./configure
> 
> I get
> ./configure: 12735: Syntax error: word unexpected (expecting ")")


Do not use the source labeled "Source code (tar.gz)" - this is plain
git source dump, not ready for direct consumption.

Use the source labeled jabberd-2.4.0.tar.xz or jabberd-2.4.0.tar.gz
(the ones with .asc signatures). These are prepared, with ./configure
script etc. generated.



P.S. or install autoconf-archive package

-- 
 /o__ 
(_<^'  As famous as the unknown soldier.



signature.asc
Description: This is a digitally signed message part


Re: Trying to unsubscribe

2016-05-24 Thread Tomasz Sterna
W dniu 24.05.2016, wto o godzinie 03∶24 +0100, użytkownik David
Woodfall napisał:
> I've tried 2 or 3 times to unsubscribe from this list. Each time I
> get acknowledgement that I have done so, but I still receive mail.
> The list owner address doesn't seem to exist too.
> If a list admin reads this, please unsubscribe me.

Should be fixed now. SELinux intervened... ;-)
Thanks for the report.

I just went through whole subscribe-confirm-unsubscribe-confirm process
without issues.


-- 
 /o__ 
(_<^' A Fortran compiler is the hobgoblin of little minis.






Re: jabberd-2.4.0 release

2016-05-23 Thread Tomasz Sterna
W dniu 23.05.2016, pon o godzinie 15∶38 -0400, użytkownik Greg Troxel
napisał:
> Does this imply that it should be safe, aside from cautions in NEWS,
> to update a machine running 2.3.x to 2.4.0?

Yes. No breaking changes.

> Often a minor version change indicates something more dramatic than
> bugfixes, so I thought I would ask.

I am attempting to follow http://semver.org/ so every release should
bring up MINOR number, with PATCH reserved for fixing screw-ups in
MINOR release.

2.4.0 fixes bugs in XMPP/XEP/daemons implementation, not in the release
process itself.

So, expect 2.5.0 to follow up, not 2.4.1.



-- 
 /o__ 
(_<^' Captain's Log, star date 21:34.5...



signature.asc
Description: This is a digitally signed message part


jabberd-2.4.0 release

2016-05-22 Thread Tomasz Sterna
Next jabberd2 release is available.

Get 2.4.0 release at GitHub:
https://github.com/jabberd2/jabberd2/releases


This is a bugfix release.

Make sure to read the NEWS before upgrade:
https://github.com/jabberd2/jabberd2/blob/jabberd-2.4.0/NEWS


Changes:
 * Check for C99 support in compiler
 * Count RIO bytes and check against max stanza size
 * Gracefully drop unhandled HTTP connections
 * wss:// (WebSocket over SSL) support in c2s
 * Allow BareJID S10N packets
 * Fallback to connecting S2S using local.ip when none of the origin.ip
   works
 * Removed explicit SQLite transactions
 * SQLite postconnect SQL support
 * SQLite DB setup script improvements
 * Many Coverity Scan and cppcheck detected issues fixed
 * Properly lowercase SASL mechanisms in c2s
 * Support out-of-source build

https://github.com/jabberd2/jabberd2/commits/jabberd-2.4.0



-- 
smoku @ http://abadcafe.pl/ @ http://xiaoka.com/



signature.asc
Description: This is a digitally signed message part


Re: online/offline with a pipe in SM

2016-05-12 Thread Tomasz Sterna
W dniu 12.05.2016, czw o godzinie 15∶52 +0200, użytkownik Igor Zarraga
napisał:
> For me it would be good to have a module of SM to make a pipe and
> send online/offline events of sessions to another system (like
> authreg_pipe).  Perphaps it block sm sending these events and affect
> to scalability of the system.

This is a cool idea.

Please create a feature request on:
 https://github.com/jabberd2/jabberd2/issues/new
and I will see into this.


-- 
smoku @ http://abadcafe.pl/ @ http://xiaoka.com/



signature.asc
Description: This is a digitally signed message part


Re: self signed cert

2016-05-07 Thread Tomasz Sterna
W dniu 03.05.2016, wto o godzinie 16∶51 -0700, użytkownik
li...@lazygranch.com napisał:
> I know when I used a web hosting company to handle my email, I would
> yearly have to blindly trust the new cert.

And this exact behavior I'd like to erradicate.

Most users do not bother to check whether they are blindly accepting
right certificate, or the certificate provided by middle-man.



-- 
smoku @ http://abadcafe.pl/ @ http://xiaoka.com/



signature.asc
Description: This is a digitally signed message part


Re: self signed cert

2016-05-03 Thread Tomasz Sterna
W dniu 03.05.2016, wto o godzinie 12∶34 -0700, użytkownik
li...@lazygranch.com napisał:
> I'm not following you here. You still have encryption with a self
> signed cert, but no trust. But if you can't trust yourself, who else
> can you trust? 

If you have a reliable way of distributing your certificate, then yes.
But then you are acting as an CA, so why don't use a real one?

But if you just accept whatever cert server provides you with (like
most people connecting self-signed service), then you have no more
protection than on unencrypted connection.


> On public wifi without the self signed cert, the conversation could
> be read, not to mention login credentials.

Using man-in-the-middle attack, even the encrypted conversation could
be read - see above scenario with accepting server provided cert.

And the default configuration of jabberd2 is not to allow plain text
passwords on unencrypted channel, so you cannot read the login
credentials.


> Take "letsencrypt" for example. Prior to adding their certificates to
> my root store, I could still get encryption, provided I let my
> browser go ahead. I just could trust the website identity. 

But you are not sure the identity. You could aswell trust the man-in-
the-middle proxying your communication and posing as the website.


> The Hong Kong Post Office is a CA, but I don't really trust them. ;-
> )‎ 

Why?
They passed the audit checking whether they reliably verify the
credentials before signing certs.


> But xmpp doesn't have the downgrade option. 

You do not need to downgrade to unencrypted channel. MITM can aswell
proxy an encrypted connection on both sides decrypting/encrypting on
flight. As long as clients accept self-signed certs blindly, without
consulting CA registry.



-- 
 /o__ Documentation is like sex: when it is good, it is very, very good; and
(_<^' when it is bad, it is better than nothing.



signature.asc
Description: This is a digitally signed message part


Re: self signed cert

2016-05-03 Thread Tomasz Sterna
W dniu 03.05.2016, wto o godzinie 02∶12 -0700, użytkownik
li...@lazygranch.com napisał:
> jabberd2 version(2.3.6)
> I followed these instructions:
> https://github.com/jabberd2/jabberd2/wiki/InstallGuide-OpenSSLConfigu
> ration
> [...]
> SM  : sx (ssl.c:405) secure channel not established, handshake in
> progress
> SM  : sx (ssl.c:59) verify error:num=18:self signed
> certificate:depth=0:/C=US/ST=state/L=city/O=none/OU=none
> /CN=mydomain.org/emailAddress=webmas...@mydomain.org
> 

I guess I could catch X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT (18)
in SSL_CTX_set_verify callback and pass the cert through,
but I'm ambivalent about it...

We should really discourage use of self-signed certificates.
On the other hand, it really speeds-up test deployments.

Maybe have it as an opition, to enable if you really-really need to use
self-signed certificates?

What do you think?


-- 
smoku @ http://abadcafe.pl/ @ http://xiaoka.com/



signature.asc
Description: This is a digitally signed message part


Re: self signed cert

2016-05-03 Thread Tomasz Sterna
W dniu 03.05.2016, wto o godzinie 06∶22 -0700, użytkownik
li...@lazygranch.com napisał:
> So the documentation on generating a self signed cert  is not
> correct.

It is (for the lack of better word) ancient.
Unfortunately, there is no one willing to work on improving it.


> Isn't the key generated in that document technically the root CA?‎ 

I think so.



-- 
 /o__ Q: What is the difference between a duck?
(_<^' A: One leg is both the same.



signature.asc
Description: This is a digitally signed message part


Re: self signed cert

2016-05-03 Thread Tomasz Sterna
W dniu 03.05.2016, wto o godzinie 02∶12 -0700, użytkownik
li...@lazygranch.com napisał:
> How exactly do I specify the cachain for a self signed cert.

You need to put your root CA used to sign the cert to the CA certs
store specified in 'cachain' option.

This is to encourage deployments to stop using self-signed certs, of
questionable security, and instead get a real cert.
You can get real, widely accepted certs for free.


> I get openssl error 18 meaning it can't be verified. Setting
> verify-mode='0' didn't help.

verify-mode sets how should the server verify client provided
certificates. 0 (SSL_VERIFY_NONE[1]) is the default.



[1] https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_verify.html

-- 
 /o__ 
(_<^' I respect faith, but doubt is what gives you an education.



signature.asc
Description: This is a digitally signed message part


Re: Can't log in;starttls;freebsd 10.2 ; jabberd2 version(2.3.6)

2016-05-02 Thread Tomasz Sterna
W dniu 01.05.2016, nie o godzinie 18∶57 -0700, użytkownik
li...@lazygranch.com napisał:
>  realm="MYDOMAIN>COM"
> permfile="/usr/local/etc/jabberd/jabber.pem"
> ciphers="TLSv1.2, TLSv1.0"

This is incorrect.
See: 
http://abadcafe.pl/post/136618589813/configure-jabberd-2-for-xmppnet-score-a

> require-starttls='true'

You require StartTLS, let's remember that.

> register-enable='false'
> password-change='false'

This is incorrect. These values work by setting them or not setting
them - the value itself is irrelevant.



> C2S : sx (io.c:301) encoding 250 bytes for writing:  version='1.0'?>
>  xmlns='jabber:client' from='MYDOMAIN.COM' version='1.0' 
> id='LONGRANDOM' xmlns:ack='http://www.xmpp.org/extensions/xep-0198.ht
> ml#ns'>;
> 
> C2S : sx (sasl.c:260) ssl not established yet but the app requires
> it, not offering mechanisms

Here's a first clue.
Your server said, that it require ssl, and your connection is not ssl
yet, so it wont offer any auth mechanisms.

Regardless that auth was not offered yet, your client attempted
authentication:

> C2S : sx (io.c:255) decoded read data (176 bytes):  id="_xmpp_auth1" 
> type="set"> xmlns="jabber:iq:auth">SOMEUSERPASSWOR
> D
> profanity

No wonder server borked on it.

> C2S : Mon May  2 01:08:12 2016 c2s.c:392 pre STARTTLS packet,
> dropping

It even gave you a plain text description what went wrong:

> C2S : sx (error.c:79) prepared error:  xmlns:stream='http://etherx.jabber.org/streams'>;
> 
> 
> STARTTLS is required for this stream
  


I suggest using a standard conformant XMPP client for your tests.
It shall make your live much easier. :-)



-- 
 /o__ Q: What's a light-year?
(_<^' A: One-third less calories than a regular year.






Re: Accepted presence subscription never signaled to the subscriber

2016-04-01 Thread Tomasz Sterna
W dniu 01.04.2016, pią o godzinie 15∶06 +0200, użytkownik Philipp Jacob
napisał:
>  from='localhost' to='localhost'>
>  type='subscribed' to='gloox@localhost'/>
> 
> sx (io.c:301) encoding 210 bytes for writing:  sx (io.c:255) decoded read data (210 bytes):
>  to='localhost' from='localhost'>
>    type='subscribed' from='user1@localhost/testclient'/>
> 
> (io.c:96) completed nad: https://github.com/jabberd2/jabberd2/issues/new


-- 
 /o__  A verbal contract isn't worth the paper it's written on. Include
(_<^'  me out. -Samuel Goldwyn



signature.asc
Description: This is a digitally signed message part


Re: Accepted presence subscription never signaled to the subscriber

2016-04-01 Thread Tomasz Sterna
W dniu 01.04.2016, pią o godzinie 11∶04 +0200, użytkownik Philipp Jacob
napisał:
> In the router's debug output I can see the incoming subscribed
> presence stanza from the contact:
> sx (io.c:255) decoded read data (323 bytes):  to='localhost'> sc:sm='621b457a7181f454ca07bb4326e73e67096ed383' sc:c2s='10'
> from='user1@localhost/testclient' type='subscribed'
> to='gloox@localhost'/>

I'm pretty sure the router routed it from 'c2s' to 'localhost' as
requested.

Take a look at sm debug log of 'localhost' to see what happened with
that stanza there.

According to RFC6121 3.1.5. server should:
Replace from='user1@localhost/testclient' with from='user1@localhost';
Then push roster item to all user1 (interested) resources;
And finally send presence to gloox.



-- 
 /o__  "I always avoid prophesying beforehand because it is much better
(_<^'  to prophesy after the event has already taken place. " - Winston






Re: jabberd-2.3.6 release

2016-02-29 Thread Tomasz Sterna
W dniu 29.02.2016, pon o godzinie 13∶14 +0300, użytkownik
ungifte...@gmail.com napisał:
> > Next jabberd2 release is available.
> 
> Have to emerge autoconf-archive for new coloring feature

Do you build from bare GitHub source?

This macro should get included to the release archive which do not
require any autotools packages installed for building.


-- 
 /o__ Q: How many Martians does it take to screw in a light bulb?
(_<^' A: One and a half.






jabberd-2.3.6 release

2016-02-27 Thread Tomasz Sterna
Next jabberd2 release is available.

Get 2.3.6 release at GitHub:
https://github.com/jabberd2/jabberd2/releases


This is a major bugfix release.

The main change is that WebSocket connections are now fully working and
stable.
Also if you are using MUC, you want to upgrade as 2.3.5 direct presence
bug prevented users from entering MUC rooms.

Make sure to read the NEWS before upgrade:
https://github.com/jabberd2/jabberd2/blob/jabberd-2.3.6/NEWS


Changes:
 * Support WebSocket fragmented packets
 * Fixed delivering directed presence (to self)
 * Reset in-sess 'from' to FullJID on non-Presence packets

https://github.com/jabberd2/jabberd2/commits/jabberd-2.3.6



-- 
 /o__ 
(_<^'  It's more than magnificent - it's mediocre. -Samuel Goldwyn



signature.asc
Description: This is a digitally signed message part


jabberd-2.3.5 release

2016-01-28 Thread Tomasz Sterna
Next jabberd2 release is available.

Get 2.3.5 release at GitHub:
https://github.com/jabberd2/jabberd2/releases


This is a major bugfix release with a bit of new features.

It fixes recently discovered issue wit secure generation of dialback keys.
The user verification via email module should help with spam bots registrations.

Make sure to read the NEWS before upgrade:
https://github.com/jabberd2/jabberd2/blob/jabberd-2.3.5/NEWS


Changes:
 * Module to verify users using e-mail
 * Reordered MIO backends priority
 * Skip non-existing blowfish i386 assembler code
 * Use CSPRNG for dialback keys
 * Allow presence probing own connections
 * Use OpenSSL functions for base64 en/decoding when available
 * Option to dump packet-filter matched packets to file

For a full change log see:
https://github.com/jabberd2/jabberd2/commits/jabberd-2.3.5



-- 
 /o__ 
(_<^' It's ten o'clock; do you know where your processes are?



signature.asc
Description: This is a digitally signed message part


Re: missing presence packet

2015-12-06 Thread Tomasz Sterna
W dniu 04.12.2015, pią o godzinie 15∶05 -0500, użytkownik Stepan
Salenikovich napisał:
> So I'm looking for suggestions as to how this could be debuged... or
> any tips as to where to look.

Turn on debug logs -D on both c2s and sm and analyse what happens when
A logs back on.


-- 
 /o__ 
(_<^' I'm a soldier, not a diplomat. I can only tell the truth.



signature.asc
Description: This is a digitally signed message part


Re: Configuration of SSL?

2015-11-20 Thread Tomasz Sterna
W dniu 20.11.2015, pią o godzinie 15∶25 +0100, użytkownik Matěj Cepl
napisał:
> On 2015-11-19, 22:58 GMT, Tomasz Sterna wrote:
> > I have builds for recent Fedora versions on OBS [1], but
> 
> I prefer to help with maintaining true Fedora/EPEL packages.

Understandable.
Could you please add "--enable-mio" as in [1], because as it is now,
Fedora builds jabberd2 with select() backend, which gets laggy with
thousands of connections.

[1] 
https://build.opensuse.org/package/rdiff/home:smoku:jabberd/jabberd?linkrev=base=11


P.S. These are official Fedora SRPMs, updated to latest source only.
I do not have a luxury to wait for Fedora to catch up after a release,
or a bugfix, so I need to build my own packages.

-- 
 /o__ 
(_<^'  We're overpaying him, but he's worth it. -Samuel Goldwyn



signature.asc
Description: This is a digitally signed message part


Re: Configuration of SSL?

2015-11-19 Thread Tomasz Sterna
W dniu 19.11.2015, czw o godzinie 20∶42 +0100, użytkownik Matěj Cepl
napisał:
> OK, then I doomed. :) Don't worry, I can live with a C mark
> pretty well.

I have builds for recent Fedora versions on OBS [1], but RHEL/Centos
are missing on crucial dependencies, so I cannot build for these.


[1] https://build.opensuse.org/project/repositories/home:smoku:jabberd

-- 
 /o__ "You're very sure of your facts, " he said at last, "I 
(_<^' couldn't trust the thinking of a man who takes the Universe 



signature.asc
Description: This is a digitally signed message part


Re: Configuration of SSL?

2015-11-18 Thread Tomasz Sterna
W dniu 18.11.2015, śro o godzinie 11∶30 +0100, użytkownik Matěj Cepl
napisał:
> So, I would like to switch off RC4 which is really an obsolete
> nosense. With Apache I can do it in its configuration, is it 
> possible to do it somehow for jabberd2?

in c2s.xml in  section set:

    ceplovi.cz

to get A score.


-- 
 /o__ 
(_<^' Your education begins where what is called your education is over.



signature.asc
Description: This is a digitally signed message part


Re: XMPP SPAM

2015-11-09 Thread Tomasz Sterna
Dnia 2015-11-09, pon o godzinie 21:18 +0100, Simon Josefsson pisze:
> how people handle this?

My solution is:
# firewall-cmd --permanent --add-rich-rule="rule family=ipv4 source 
address=193.105.240.126 reject"


-- 
 /o__ Is truth not truth for all?
(_<^'  the Sky", stardate 5476.4.



signature.asc
Description: This is a digitally signed message part


Re: jabberd-2.3.4 release

2015-10-30 Thread Tomasz Sterna
Dnia 2015-10-30, pią o godzinie 15:45 +0300, ungifte...@gmail.com
pisze:
> 30.10.2015 12:17, Tomasz Sterna пишет:
> > With this release jabberd2 joins HTTP realm with WebSocket client
> 
> It need http-parser for websockets, but configure doesn't check it.

It does check it, when you do:
./configure --enable-websocket

The bug that http_parser.h gets included even when websocket is not
enabled is already fixed:
https://github.com/jabberd2/jabberd2/commit/b861b9c72adc732cbdfbac4eb8a4205126227f6b


P.S. It's better to report bugs via GitHub, than the ML.
https://github.com/jabberd2/jabberd2/issues/new


-- 
 /o__ 
(_<^' Whom the gods wish to destroy they first call promising.






Re: Message injection

2015-09-02 Thread Tomasz Sterna
Dnia 2015-09-01, wto o godzinie 09:23 -0600, Kyle Waters pisze:
> I'm able to insert a message into the queue table and have it pop up 
> for a user the next time they log in.  Is there a way to submit a 
> message and have it show up immediately for a logged in user with out 
> going through client authentication

jabberd2 was never designed to allow messing with storage directly.
storage module is opaque and you should not touch it bypassing the
daemon.

It's not that hard to connect the daemon over a client or component
connection to inject a message. [1]


[1] http://stackoverflow.com/questions/170503/commandline-jabber-client


-- 
 /o__  Talking about a piece of movie dialogue: Let's have some new
(_<^'  cliches. -Samuel Goldwyn






Re: testing jabberd2 TLS with openssl s_client

2015-05-08 Thread Tomasz Sterna
Dnia 2015-05-08, pią o godzinie 22:47 +0200, Guenther Kuenzel pisze:
 what i expect is a dump of the certificate chain, like it is with all
 other protocols which are supported by openssl s_client.
 any ideas?

Misconfigured server?

With my server it works just fine...

23:34 ~ $ openssl s_client -CApath /etc/ssl/certs -starttls xmpp -connect 
chrome.pl:5222
CONNECTED(0003)
depth=1 C = IL, O = StartCom Ltd., OU = Secure Digital Certificate Signing, CN 
= StartCom Class 1 Primary Intermediate Server CA
[...]
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom 
Class 1 Primary Intermediate Server CA
 1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom 
Class 1 Primary Intermediate Server CA
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom 
Certification Authority
[... and so on ...]
 


-- 
 /o__ Q: How do you stop an elephant from charging?
(_^' A: Take away his credit cards.


signature.asc
Description: This is a digitally signed message part


jabberd-2.3.3 release

2015-04-13 Thread Tomasz Sterna
Next jabberd2 release is available.

Get 2.3.3 release at GitHub: https://github.com/jabberd2/jabberd2/releases


This is a bugfix release with a bit of new features added.


Changes:
- Support for RSA/DH/ECDH key agreement
- bcrypt support for MySQL storage
- C2S per session user data  authreg auth API extensions
  for custom authreg backends
- Option to provide a custom the openssl library path

For a full change log see: 
https://github.com/jabberd2/jabberd2/commits/jabberd-2.3.3




-- 
 /o__ Q: How many IBM CPU's does it take to do a logical right shift?
(_^' A: 33. 1 to hold the bits and 32 to push the register.





Re: STARTTLS connection on jabberd2

2015-02-26 Thread Tomasz Sterna
Dnia 2015-02-26, czw o godzinie 12:00 +0100, Matěj Cepl pisze:
 https://bugzilla.redhat.com/show_bug.cgi?id=1179229. What do you think
 about my comment 3 and the attached patch?

I have no idea.
My knowledge of TLS is close to vague.


-- 
 /o__ Q: What do monsters eat?
(_^' A: Things.





Re: XEP-0138 uncontrolled resource consumption ???

2015-02-26 Thread Tomasz Sterna
Dnia 2015-02-26, czw o godzinie 01:38 +0100, Matěj Cepl pisze:
 could anybody confirm that 
 http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/
  

As you can see at
https://github.com/jabberd2/jabberd2/blob/f6225f9cc5af93835285a0a788479978d271ee38/sx/io.c#L64
 stanza_size_limit is enforced on unencrypted/uncompressed bare stanza data.
So if the lower layer (sx compress plugin) feeds too much data, the
connection is torn down.


-- 
 /o__ Q: How do you stop an elephant from charging?
(_^' A: Take away his credit cards.





Re: STARTTLS connection on jabberd2

2015-02-26 Thread Tomasz Sterna
Dnia 2015-02-26, czw o godzinie 01:09 +0100, Matěj Cepl pisze:
 pemfile=/etc/pki/tls/certs/luther.ceplovi.cz-intermediate.crt

.crt suggests that this is certificate only.
You need a .pem with full chain of all certificates from the CA, to your
certificate (if not present in global ca-certificates) and a private
key, concatenated together in one file.



-- 
 /o__  Talking about a piece of movie dialogue: Let's have some new
(_^'  cliches. -Samuel Goldwyn





Re: Some users cannot connect after upgrade from 2.2.17 to 2.3.2

2014-12-27 Thread Tomasz Sterna
Dnia 2014-12-21, nie o godzinie 20:44 +0100, Eric Koldeweij pisze:
 Sun Dec 21 14:00:38 2014 c2s.c:439 pre-session packet, bye
 Sun Dec 21 14:00:38 2014 [notice] [20] packet sent before session
 start, closing stream

IIRC this is a buggy behavior of libpurple based clients (ie. Pidgin),
which start the session, but do not wait for session establishment and
send more packets immediately after.




-- 
Tomasz Sterna   :(){ :|:};:
Instant Messaging Consultant   Open Source Developer 
http://abadcafe.pl/  http://xiaoka.com/portfolio



signature.asc
Description: This is a digitally signed message part


Re: BOSH - XMPPoWS

2014-09-12 Thread Tomasz Sterna
Dnia 2014-09-12, pią o godzinie 09:29 +0200, Marek Červenka pisze:
  Does jabberd2 accept '=' in final digest-md5 response?

IIRC there was a bug reported for this, and it was already fixed long
time ago...


 solved
 it was not on the jabberd2 side

Glad to hear that. :-)






Re: jabberd2 web presence

2014-09-04 Thread Tomasz Sterna
Dnia 2014-09-04, czw o godzinie 16:14 +0200, Marek Červenka pisze:
 added to
 https://github.com/jabberd2/jabberd2/wiki/WebPresence (addons)

Thanks.
I added a note about webstatus resource.


-- 
Tomasz Sterna   :(){ :|:};:
Instant Messaging Consultant   Open Source Developer 
http://abadcafe.pl/  http://xiaoka.com/portfolio



signature.asc
Description: This is a digitally signed message part


Re: xhash and it's key

2014-08-29 Thread Tomasz Sterna
Dnia 2014-08-28, czw o godzinie 17:51 +, Shawn Debnath pisze:
 The problem is that it breaks scenarios where the user may
 use a temp buffer to build the key, then insert or put it in the xhash
 and then free the buffer memory.

This is invalid use of xhash.

 Assumption here is that xhash code 
 would allocate necessary buffer to store internal data and not rely on
 user supplied memory to maintain it=A9=F6s internal data structures.

There is no such assumption.
It's a gotcha waiting for every new jabberd2 dev. ;-)

 Any ideas if there was a particular reason this was designed this way? I
 imagine, in most of the cases the key is inside the object being stored
 so it works out.

This is for efficiency reasons.
Strings in jabberd are usually coming from incoming NADs (notice
xhash_putx() taking the len of the key) or being allocated in memory
pools associated with objects.
It would be a waste of memory and CPU to make a copy each time an object
gets stored in hash or removed from hash.
Also, when these strings are part of the object they identify, memory
management is as easy as freeing the object and it's associated memory
pool (assuming it was already removed from all its references including
xhashes).

 However, as you can see, the xhash implementation
 can¹t be fully exploited/used.

The fact you are allocating object identifier strings on stack/heap is a
sign of bad design.
Could you rethink your design to include the identifier as a part of the
object it names?





Re: jabberd2 web presence

2014-08-29 Thread Tomasz Sterna
Dnia 2014-08-28, czw o godzinie 21:24 +0200, Marek Červenka pisze:
 can you recommend plugin for web presence for jabberd2?
 something like http://www.jabbim.com/services-status-icon.html

No need for a plugin.
Built-in mod_status stores user presence in 'status' table.
You just need to build a web frontend for this table.





Re: c2s per session user data authreg auth API extension

2014-08-14 Thread Tomasz Sterna
Dnia 2014-08-14, czw o godzinie 04:27 +, Shawn Debnath pisze:
 - Build a hash table of relevant data and store it in the authreg_t
   private data member.

Agreed, that needed internal bookkeeping makes it not feasible.


 - Retrofit existing interfaces with the necessary data.
   a. Introduce void *sess_private in sess_t.

It's not really sess_private, but authreg_private, right?


   int (*create_challenge)(authreg_t ar, sess_private *data,
 const char *username, const char *realm, const char *challenge,
 int maxlen);
   int (*check_response)(authreg_t ar, sess_private *data,
 const char *username, const char *realm, const char *resource,
  const char *challenge, const char *response);
 
   Pros: Maintain same methods but new parameters, faster approach.
   Cons: (BIG)breaks everyone out there. In some cases, other 3rd parties
 may want similar mechanism for plain text login as well and this
 approach wouldn't work for them.

Agreed.
I think we should extend all authreg calls with a pointer to session
attached, authreg private data.
In the simplest case it could be even set to point to sess_st, for the
mechanizm to dig in session by itself.
This is how it is done all around jabberd2.

Also good point, that create_challenge misses realm parameter.

If we go for it, we will just release 2.4.x line which hints API
breakage. ;-)


   /* Extension for custom authentication providers */
   int (*custom_auth_get)(authreg_t ar, authdata_t data);
   int (*custom_auth_set)(authreg_t ar, authdata_t data);

I don't like this approach for two reasons.
- custom_auth does not really mean anything. as it is now it is clean -
either we have password verification, or challenge/response.
- custom_auth is used in ar_mechs  AR_MECH_TRAD_CRAMMD5, so it is not
really custom, but CRAM-MD5, right?


Let's just implement CRAM-MD5 properly, with all needed features, even
if it means API changes.
We're open source - we are not afraid to change things. :-)

-- 
smk





Re: c2s per session user data authreg auth API extension

2014-08-14 Thread Tomasz Sterna
Dnia 2014-08-14, czw o godzinie 16:20 +, Shawn Debnath pisze:
 I would change all the APIs and to pass in a pointer to the sess_t as
 I also need it in check_passsword.

I would advise to include sess_t* in authreg_private then.

It's OK for authreg to dig around session data, but the API should be
flexible enough to give option to pass anything as authreg_private, not
only sess_t*.


-- 
Tomasz Sterna   :(){ :|:};:
Instant Messaging Consultant   Open Source Developer 
http://abadcafe.pl/  http://xiaoka.com/portfolio



signature.asc
Description: This is a digitally signed message part


Re: c2s per session user data authreg auth API extension

2014-08-14 Thread Tomasz Sterna
Dnia 2014-08-14, czw o godzinie 23:45 +, Shawn Debnath pisze:
 I have modified the
 APIs to pass sess_t and then the implementation can choose to pack it
 in their private authreg_private data if they so choose.

WFM :-)


-- 
Tomasz Sterna   :(){ :|:};:
Instant Messaging Consultant   Open Source Developer 
http://abadcafe.pl/  http://xiaoka.com/portfolio



signature.asc
Description: This is a digitally signed message part


Re: Clustering support

2014-08-04 Thread Tomasz Sterna
Dnia 2014-08-04, pon o godzinie 17:44 +0530, Kumar Deepak pisze:
 Are you suggesting, I shall run single instance of Router and run
 multiple instance of other components (SM, S2S  C2S).

Yes.

 In this case, router will be under load and will become critical ?
 How do we load balance router ? 

We don't. In currently released jabberd2 router cannot be duplicated.

Support for router mesh is in the works though.
https://github.com/jabberd2/jabberd2/tree/mesh


-- 
Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/





Re: re: Hello guys, iencounteraproblem,call for help

2014-07-07 Thread Tomasz Sterna
Dnia 2014-07-07, pon o godzinie 12:41 +0800, 304747446 pisze:
 the output of ./configure is in the configure.txt 

How about
./configure --enable-sqlite

Please attach generated config.log instead manually copying output.



-- 
Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/





Re: 回复: 回复: 回复: 回复: Hello guys, i encounteraproblem,call for help

2014-07-01 Thread Tomasz Sterna
Dnia 2014-07-01, wto o godzinie 15:10 +0800, 304747446 pisze:
 hello, today i checked the Makefile under the storage directory
 carefully and i find that there is no compile instruction for the
 storage_sqlite.c, i think this is the cause that no storage_sqlite.so
 is built.

Please do:
./configure --enable-sqlite  make clean  make  make install

Dissecting autotools build like this is not recommended.


-- 
Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/





Re: 回复: 回复: 回复: Hello guys, i encountera problem,call for help

2014-06-25 Thread Tomasz Sterna
Dnia 2014-06-25, śro o godzinie 16:06 +0800, 304747446 pisze:
 then go to the storage directory and rebuild, but there is also no
 libstorage_sqlite.so file to be generated...

a) it's storage_sqlite.so not libstorage_sqlite.so
b) modules are built in a hidden subdirectory storage/.libs


-- 
Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/





Re: Roster module with custom MySQL requests

2014-04-01 Thread Tomasz Sterna
Dnia 2014-04-01, wto o godzinie 15:56 +0200, Sylvain Guglielmi pisze:
 Is it safe/better/not a good idea to deactivate the active plugin from
 every chain (user_load; user_create; user_delete) ?

It's main function is to drop messages to unexisting users instead of
storing them in offline messages store.
If you remove it, you are potentially vulnerable to DoS attack filling
your offline storage database with messages for bogus users.


-- 
Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/





Re: create publish node with idavoll + jabberd2?

2014-02-24 Thread Tomasz Sterna
Dnia 2014-02-22, sob o godzinie 12:50 +0800, charlesw123...@gmail.com
pisze:
 2014-02-18 13:38:55+0800 [XmlStream,client] RECV: ?xml
 version='1.0'?stream:stream
 xmlns:stream='http://etherx.jabber.org/streams'
 xmlns='jabber:component:accept' from='pubsub'
 id='nzkwecg6kccx6zuhslvehvtli6blyfumffiurz0c' 

Your idavoll component is configured at pubsub domain.


 And them I use my client to issue the following request after login:
 SEND: iq to='test.testdomain.com' type='set' id='...'pubsub
 xmlns='http://jabber.org/protocol/pubsub'create
 node='tnode'//pubsub/iq

so, you need to send your queries to=pubsub domain, not
'test.testdomain.com' servers domain.


-- 
Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/





jabberd-2.3.2 release

2014-02-24 Thread Tomasz Sterna

Next jabberd2 release is available.

Get 2.3.2 release at GitHub: https://github.com/jabberd2/jabberd2/releases


This is a minor bugfix release with a bit of new features added.


Changes:
  * Removed unmaintained CyrusSASL backend
  * Option to add realm to username in ldapvcard module
  * systemd unit files

For a full change log see: 
https://github.com/jabberd2/jabberd2/commits/jabberd-2.3.2



-- 
Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/





Re: create publish node with idavoll + jabberd2?

2014-02-24 Thread Tomasz Sterna
Dnia 2014-02-24, pon o godzinie 17:03 +0800, li wang pisze:
 Thanks greatly, do you mean I should use:  pubsub.testdomain.com as
 the domain name? does I have to configure my nameserver to direct it?

You can use whatever name you want as long as it stays inside your
server.
You have to make it resolvable to your s2s address if you want it to be
reachable from other servers.



-- 
Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/





Re: systemd unit files

2014-02-17 Thread Tomasz Sterna
Dnia 2014-02-14, pią o godzinie 14:23 +0100, Adrian Reber pisze:
 I have a simple patch which includes the systemd unit files from the
 fedora package into jabberd2 at:

Thanks.
Merged in 49d48df0f6b6b1d35cf96930644f03b6db66e0d4


-- 
Tomasz Sterna:(){ :|:};:
Instant Messaging ConsultantOpen Source Developer 
http://abadcafe.pl/   http://www.xiaoka.com/portfolio





Re: Ldapvcard + roster

2014-02-14 Thread Tomasz Sterna
Dnia 2014-02-13, czw o godzinie 17:14 +0100, Oriol Mula-Valls pisze:
 Which solutions is better from your point of view? My knowledge of the
 xmpp standard is little. I can try to make the patches and test them
 on our infrastructure.

This does not really have anything to do with XMPP standard.
For XMPP user authentication is opaque and abstracted to SASL.

It's a job of SASL backend (in this case based on LDAP) to verify user
credentials, and once SASL says you are a JID you are pretending to be,
you are in.

Having said that, I will mention that I have not much experience with
LDAP and the one I have is rusty.
Thus I still have your proposed patch pending review, as on a first
brief look through, I couldn't decide it's validity.

Please do work on LDAP backend in whatever way pleases you.
If you keep backward compatibility, I will gladly accept patches adding
new functionality. (Preferably via GitHub pull request.)

Also please do discuss your concerns on this mailing list, as others may
have viable experience; but addressing these to me personally may
discourage others joining in to the discussion. ;-)

P.S. I need to mention, that I would be rapturous if someone would
finally merge both LDAP backends to one.


-- 
Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/





Re: Roster publish

2014-02-11 Thread Tomasz Sterna
Dnia 2014-02-10, pon o godzinie 18:00 +0100, Oriol Mula-Valls pisze:
 After setting it to 0 I expect the user to disappear from the clients.
 I have tried to relogin to the jabberd2 server but even after that the
 contact still appears.

Did you enable force-create-contacts/?
If so, it will add contacts to user normal roster and they will need
manual deletion.

Also if user edits the contacts details, it will be stored in normal
roster.


-- 
Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/





Re: s2s throws coredump with new version of udns-0.3

2014-01-20 Thread Tomasz Sterna
Dnia 2014-01-20, pon o godzinie 12:02 +0100, Marcin Mirosław pisze:
 warning: Could not load shared library symbols for linux-vdso.so.1.
 Do you need set solib-search-path or set sysroot?

This suggests problems with your local library installation.
Check 'ldd' on libudns.so, i.e.:

$ ldd /usr/lib64/libudns.so.0
linux-vdso.so.1 =  (0x7fffcf8b6000)
libc.so.6 = /lib64/libc.so.6 (0x7f59ae59b000)
/lib64/ld-linux-x86-64.so.2 (0x003cde60)






Re: How to configure cipher suites and protocols

2014-01-13 Thread Tomasz Sterna
Dnia 2014-01-13, pon o godzinie 13:29 +0100, MacLemon pisze:
 I want to disable SSLv3 in favour of TLSv1 only. (Apple jabberd2 is
 linked against a pre-historic OpenSSL 0.9.8 so it doesn't support TLS
 1.2.) I also want to get rid of weak ciphers and try to enable forward
 secrecy handshake namely DHE.

It's not possible in 2.2.
You need at least 2.3.0 for this.





Re: Roster module with custom MySQL requests

2014-01-10 Thread Tomasz Sterna
Dnia 2014-01-10, pią o godzinie 13:54 +0100, Sylvain Guglielmi pisze:
 My question : Should I add a timetick chain to the SM (called every
 second for example), and add my module to this chain (with a rate_t
 check) ? I'm not thrilled by this solution, because for now, I haven't
 changed any code from jabberd2 except from the new module, which make
 it easier to test or get in production. Is there another, better way ?

You could have a separate cron component pinging 'sm' in regular
intervals with special route packet, and handle this special packet in
'in-router' chain of your module.

Having that it could even be done not in regular intervals, but
on-demand, when your component gets triggered by web frontend.





Re: push notification system (pns)

2014-01-09 Thread Tomasz Sterna
Dnia 2014-01-09, czw o godzinie 09:07 +0530, Kumar Deepak pisze:

 I was thinking to integrate push notification system to inform about
 incoming messages for xmpp clients. Clearly, the case comes when
 clients become unavailable on mobile client.

I don't quite clearly understand what you need.

IIRC you would like a method to notify a disconnected client, that there
are pending offline messages waiting and it needs to connect to get
these;
am I right?



-- 
Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/





Re: push notification system (pns)

2014-01-09 Thread Tomasz Sterna
Dnia 2014-01-09, czw o godzinie 22:00 +0530, Kumar Deepak pisze:

 1. User A is running xmpp client at his iPHONE
 2. User B is running xmpp client at his desktop
 3. User B sends message to A, but A's xmpp client is either not
 running or running in background.

At pt.1 you stated that A's xmpp client is running, so this condition
contradicts pt.1

 4. Server stores the message for later delivery.

This would happen if A's client is not connected. So I guess that
'running' does not necessary mean 'connected'.

 5. Server informs A by sending a message using apple push notification
 infrastructure.
 6. User A accepts the push and A's xmpp client connects to server and
 server delivery the message to A.

Ok. 'Running' definitely does not mean 'connected'.


Your goal would be best accomplished by hooking to offline storage
module, or using completely custom offline storage module, that sends
notification every time it stores a message offline for later delivery.





Re: Roster module with custom MySQL requests

2014-01-08 Thread Tomasz Sterna
Dnia 2014-01-08, śro o godzinie 03:02 +0100, Sylvain Gugli Guglielmi
pisze:
 I can have something like UPDATE `roster-items` SET 
 `object-sequence`=`object-sequence`+1 but his break uniqueness in the 
 table.

I come from PostgreSQL, so explicitly handled sequences is natural to
me:
UPDATE roster-items SET object-sequence = nextval('object-sequence')

  I haven't found any easy ways to do something similar with 
 LAST_INSERT_ID() or AUTO_INCREMENT in MySQL, hence my question.

StackOverflow [1] suggests a convoluted solution:
SELECT Auto_increment FROM information_schema.tables WHERE 
table_name='the_table_you_want';

Not pretty.

I think you should be fine with manual increment or
MAX(`object-sequence`)+1


 Just to check : you're talking about the pools in pool.h.

Yes.

 Maybe at one point it'll be better to use pools for roster items too (item, 
 item-name, 
 item-groups and its content). I've not yet profiled anything, but this 
 may be a way to improve speed when loading user data for packet delivery 
 (without having to code 2 load-user events).

I will gladly accept code submission if you decide to do it. :-)



[1] 
http://stackoverflow.com/questions/12271235/mysql-query-next-sequence-number-for-mysql-auto-incremented-field

-- 
Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/





Re: jabberd2 and mandatory TLS

2014-01-07 Thread Tomasz Sterna
Dnia 2014-01-07, wto o godzinie 02:13 +0100, Marco Cirillo pisze:
 Metronome closes the stream with an unsupported-version stream error
 the fact jabberd2 attempts to re-establish a stream is simply wrong.

This is a bug for sure.
There is a mechanism to mark dead servers, that should be triggered by
this error.
I created a bug: https://github.com/jabberd2/jabberd2/issues/51


 Note: jabberd2 doesn't append neither to and from or a version
 attribute on the stream header, which I suppose is the pre-1.0
 behaviour / old rfc behaviour.

Yes. jabberd2 is pretty aged software.


-- 
Tomasz Sterna:(){ :|:};:
Instant Messaging ConsultantOpen Source Developer 
http://abadcafe.pl/   http://www.xiaoka.com/portfolio





Re: Roster module with custom MySQL requests

2014-01-07 Thread Tomasz Sterna
Dnia 2014-01-07, wto o godzinie 02:14 +0100, Sylvain Gugli Guglielmi
pisze:
 As I understand it, the 
 object-sequence don't need to be an UNIQUE field. Am I right on
 that ?

object-sequence is used mainly for sorting - to keep stanza ordering,
etc.
There is no enforcement on uniqueness, but in cases when you do care on
ordering, these should be unique.
In roster table you should be fine with just incrementing ver.
BTW, you could just write your UPDATE queries setting ver with next
sequence number for the table. It will save you incrementing in code and
keep it in line with how the original module does things.


 Well, I have broken that clean separation early on. For example I
 needed [...]

Sure. In case of code tied to concrete SQL it's understandable.
I was expressing my concern on changing the generic roster module which
may store data in many formats.

 Also, with many more requests, I fear the jabberd2 load will be more 
 important when I switch our prod to this plugin, and the load is
 already noticeable (15% daily peak of our server)...

My bet is that loading user data for packet delivery causes that.
There is an old item on Rob's TODO list, to have two load-user events -
one when user logs in, and other used for delivery, which loads only
necessary user data. But it is still TODO ;-)


 in my experience mallocs and frees can be long, so I try to minimize 
 these calls as a rule. I assumed the same goes for MySQL requests).

One of the reasons we have memory pools in jabberd2.


-- 
Tomasz Sterna:(){ :|:};:
Instant Messaging ConsultantOpen Source Developer 
http://abadcafe.pl/   http://www.xiaoka.com/portfolio





Re: jabberd2 and mandatory TLS

2014-01-06 Thread Tomasz Sterna
Dnia 2014-01-06, pon o godzinie 14:14 -0700, Peter Saint-Andre pisze:
 And beside this had some not so nice encounters with very buggy
 jabberd2 servers which started to loop attempting to re-establish a
 connection (very fast beside) when the server closed down their
 streams.

How do you close the stream in that case?

If the connection is just being dropped, with unknown reason, it seems
reasonable to reestablish it immediately if there are still packets to
be send to this server.
Users wants their messages to be sent ASAP. It's _instant_ messaging
after all. ;-)


-- 
Tomasz Sterna:(){ :|:};:
Instant Messaging ConsultantOpen Source Developer 
http://abadcafe.pl/   http://www.xiaoka.com/portfolio





Re: Cannot connect with android clients xabber or yaxim to jabberd2

2014-01-06 Thread Tomasz Sterna
Dnia 2014-01-06, pon o godzinie 22:06 +0100, Fabian Wenk pisze:
 @Tomasz, could this be a bug or change from in jabberd 2.2.17 
 to 2.3.1?

In 2.3.0 GnuSASL =1.1 dependency was introduced. So could there be an
incompatibility between your client and new GnuSASL?
Also since 2.3.0 CyrusSASL backend is broken. Although it is disabled by
default, there are still people using it. Are you using CyrusSASL
backend?

In 2.3.1 --enable-superseded and --enable-experimental defaults were
changed. So if you rely on superseeded and/or experimental features, you
need to enable them explicitly.


-- 
Tomasz Sterna:(){ :|:};:
Instant Messaging ConsultantOpen Source Developer 
http://abadcafe.pl/   http://www.xiaoka.com/portfolio





Re: Roster module with custom MySQL requests

2014-01-06 Thread Tomasz Sterna
Dnia 2014-01-06, pon o godzinie 18:07 +0100, Sylvain Guglielmi pisze:
 Hello everyone,
 
 To use jabberd2 with my pre-existing contacts database, I started
 writing a roster module with customisable MySQL requests (I mailed this
 list a while back about it, but I just started actual work). It uses
 prepared statements, and config file looks like :

This is really interesting. :-D
It could really accelerate XMPP as the next social media protocol. :-)

Could you consider using libdbi instead of hardwiring to MySQL?
This would make your implementation more reusable.


 - In order to make simpler custom databases, I wanted to remove the
 pkt-type == pkt_S10N_UN / item-ask == 2 mechanism. According to a
 comment there is no ask='unsubscribe' in RFC bis anymore . Would
 anyone advise against it ?

How would that make schema simpler?
You still need to store ask='subscribe', don't you?


 - something that seems weird to me : I was expecting item-ver to be
 incremented each time the item is updated (for example in 
 _roster_save_item),
 but couldn't find such code. It there something I don't grasp ?

Ahhh... Yes... There's a little trick I used there. ;-)

ver is coming from auto-incrementing field object-sequence.
As storage never issues UPDATE but always DELETE first then INSERT,
every updated roster item automagically gets new ver value.


 [...] I thought it would be good to do the same
 thing in the regular roster, but I couldn't find a way to remove a
 specific os_object_t. Is there a way to do that ?

storage_delete() with proper filter.


 Anyway here's what the code could look like, with TODOs :

The clean separation between stanza parsing to roster-item and
roster-group structures which are then stored to DB, and in reverse
makes the code more comprehensible.

I doubt that trading readability for efficiency is worthy in case of
today's microprocessor speeds and RAM availability.

Also, does your use-case covers users in many-many groups?
My experience shows that most users are in 0 groups, some in 1 group and
very few in 2+ groups. There's not many INSERTs to gain there.

Remember: Premature optimization is the root of all evil.

I would rather suggest adding 'dirty' flag, risen whenever group
membership actually changes. This would keep the separation still,
allowing for bulk drops of unneeded DELETE/INSERTs.


-- 
Tomasz Sterna:(){ :|:};:
Instant Messaging ConsultantOpen Source Developer 
http://abadcafe.pl/   http://www.xiaoka.com/portfolio





Re: jabberd2 and mandatory TLS

2014-01-06 Thread Tomasz Sterna
Dnia 2014-01-06, pon o godzinie 16:43 -0700, Peter Saint-Andre pisze:
 I don't have details on what Marco reported. We might want to do more
 testing. Is there a good deployed jabberd2 instance we can test
 against?

My server 'chrome.pl' is always running most recent version of jabberd2.
(Sometimes even unreleased one ;-)


-- 
Tomasz Sterna:(){ :|:};:
Instant Messaging ConsultantOpen Source Developer 
http://abadcafe.pl/   http://www.xiaoka.com/portfolio


signature.asc
Description: This is a digitally signed message part


Re: s2s: timed out dns lookups

2013-12-28 Thread Tomasz Sterna
Dnia 2013-12-28, sob o godzinie 09:10 +0100, Eric Koldeweij pisze:
 My suspicion is that there is a problem with a name server you are 
 using. if you look at the file /etc/resolv.conf you will see one or
 more lines saying nameserver ip_addr. The resolver will ask each
 name server in turn to resolve the host name for it,

I second that. This is what immediately came to my mind as a probable
answer to your issue.

dig command works independently of stub resolver in your system and is
more of a DNS servers test tool, not your system setup test tool.

Take a look at each of your 'nameserver' line in /etc/resolv.conf and
check each server first pinging it, then asking directly:

host -t SRV _xmpp-server._tcp.jabber.org. dns.server.ip.123


BTW: for best performance it's recommended to run a caching full
resolver on the same machine as your server and configure
nameserver 127.0.0.1 line in /etc/resolv.conf


-- 
Tomasz Sterna:(){ :|:};:
Instant Messaging ConsultantOpen Source Developer 
http://abadcafe.pl/   http://www.xiaoka.com/portfolio





Re: sm bug: mysql: sql insert failed: Out of range value for column 'ask' at row 1

2013-12-09 Thread Tomasz Sterna
Dnia 2013-12-07, sob o godzinie 17:00 -0700, Justin T Pryzby pisze:
 Sat Dec  7 16:54:36 2013 storage_mysql.c:239 prepared sql: INSERT INTO
 `roster-items` ( `collection-owner`, `ask`, `from`, `to`, `name`,
 `jid` ) VALUES ( 'x...@norchemlab.com', '139899969732608', '1', '1', 'R',
 'y...@norchemlab.com' )
 Sat Dec  7 16:19:09 2013 [error] mysql: sql insert failed: Out of
 range value for column 'ask' at row 1

Looks very similar to https://github.com/jabberd2/jabberd2/issues/48





jabberd-2.3.1 release

2013-11-28 Thread Tomasz Sterna

Next jabberd2 release is available.

Get 2.3.1 release at GitHub: https://github.com/jabberd2/jabberd2/releases


This release deals with TLS Everywhere problems introduced in 2.3.0.
This feature was moved under EXPERIMENTAL umbrella.
If you want to enable it, you now need to ./configure --enable-experimental


Changes:
  * Marked TLS-Everywhere as EXPERIMENTAL feature
  * default EXPERIMENTAL to 'no'
  * default SUPERSEDED to 'no'
  * moved STANZA-ACK and MY-IP-ADDRESS XEPs and IQ-PRIVATE push out
of experimental status

For a full change log see: 
https://github.com/jabberd2/jabberd2/commits/jabberd-2.3.1






-- 
Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/





Re: jabberd-2.3.0 release

2013-11-26 Thread Tomasz Sterna
Dnia 2013-11-26, wto o godzinie 07:40 +0100, Christof Meerwald pisze:
 I tried upgrading from 2.2.17 to 2.3.0 yesterday, but that left me
 with a broken server. The s2s component now just connects to a remote
 server, switches the stream to TLS, gets the certificate, disconnects
 and immediately connects again.

I guess the network is not that ready for 'TLS Everywhere' [1] yet.

Maybe it is worth releasing 2.2.18 without that change.


[1] https://github.com/jabberd2/jabberd2/commit/ad9ead7816

-- 
Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/





Re: XMPP connections

2013-11-26 Thread Tomasz Sterna
Dnia 2013-11-26, wto o godzinie 01:41 -0900, Haider Ali pisze:
 Since we know that we can only open 2 ^ 16 = 65536 ports ( connections
 ) with a single machine.

That's a common myth.

Google is your friend:
http://www.quora.com/TCP-IP/What-is-the-maximum-number-of-simultaneous-TCP-connections-achieved-to-one-IP-address-and-port

The TCP/IP standard sets up unique connection identifiers as the tuple
of local IP Address, local TCP port number, remote IP address, and
remote TCP port number. In your example, the local numbers are both
fixed, which leaves approximately 2^32 remote IP (version 4) addresses,
and 2^16 TCP port numbers, or an approximate total potential
simultaneous TCP connections of 281,474,976,710,656 (2^48, or 2.81 *
10^14, or 281 trillion).






jabberd-2.3.0 release

2013-11-18 Thread Tomasz Sterna

Next jabberd2 release is finally available.

Get 2.3.0 release at GitHub: https://github.com/jabberd2/jabberd2/releases


This release packs many new features and load of bugfixes.
Also introducing Semantic Versioning scheme
and TLS Everywhere recommendation.

Many, many thanks to all contributors. :-)


Changes:
  * Renamed non-standard UPGRADE file overwriting outdated NEWS file
  * Semantic Versioning: http://semver.org/ 
  * TLS Everywhere: https://github.com/stpeter/manifesto 
  * Required GSASL =1.1
  * jabberd should compile without warnings
  * out-of-source builds should work
  * pgsql: authreg password_type support
  * pgsql: schema support
  * ldapvcard: groupattr works even if no groupattr_regex defined
  * ldapfull: checks for ldap group membership on login
  * vCard: Assume tel phone is voice phone
  * MySQL: default password hashing algorithm changed to SHA512
  * out-conn-reuse s2s.xml option naming unified
  * XML parse error will log buffer details
  * CRAM-MD5 auth support
  * router private key cachain and password support
  * hashed passwords support in SQLite3 storage

For a full change log see: 
https://github.com/jabberd2/jabberd2/commits/jabberd-2.3.0





-- 
Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/





Re: jabberd2 encryption HOWTO

2013-11-05 Thread Tomasz Sterna
Dnia 2013-11-04, pon o godzinie 14:41 -0800, Peter Saint-Andre pisze:
 Would someone in the jabberd2 community consider writing a brief howto
 about configuring jabberd2 so that it allows only encypted
 connections?

Our separate documentation tends to rot, so the only authoritative (and
actively maintained) source is the comments in the configuration files
themselves. :-)

https://github.com/jabberd2/jabberd2/blob/master/etc/s2s.xml.dist.in#L300


-- 
Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/





Re: [PATCH] Implement hashed passwords for SQLite3 storage

2013-11-02 Thread Tomasz Sterna
Dnia 2013-10-31, czw o godzinie 16:44 -0200, Sergio Durigan Junior
pisze:
 I'll set up a git repo and publish here, so if anyone is interested
 it'll be possible to follow the development.

The easiest would be to make a GitHub fork to ba able to create 
GitHub pull requests.


-- 
Tomasz Sterna:(){ :|:};:
Instant Messaging ConsultantOpen Source Developer 
http://abadcafe.pl/   http://www.xiaoka.com/portfolio





Re: [PATCH] Implement hashed passwords for SQLite3 storage

2013-10-31 Thread Tomasz Sterna
Dnia 2013-10-30, śro o godzinie 16:36 -0200, Sergio Durigan Junior
pisze:
 Wow, that was fast!  Thanks a lot :-).

Thank _you_. :-)


 Eventually, I intend to start working on the libdbi integration (see
 https://github.com/jabberd2/jabberd2/issues/28).  Is anyone else
 working on this?  Maybe we could join efforts :-).

Noone that I know of.
It should be fairly easy to do basing on one of the existing backends.


-- 
Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/





Re: [PATCH] Implement hashed passwords for SQLite3 storage

2013-10-30 Thread Tomasz Sterna
Dnia 2013-10-30, śro o godzinie 03:37 -0200, Sergio Durigan Junior
pisze:
 The patch is indeed a copy-and-paste of the code which adds this
 security in other backends.  I also made a little cleanup in the
 check_password function of the SQLite3 backend (obvious).  I tested
 the patch by creating several users and logging into the server with
 them afterwards.  Everything succeeded.

Thanks. :-)

Merged: 
https://github.com/jabberd2/jabberd2/commit/3e207cfc08efdafe9a9e75dc580dd9c5bfe59554



-- 
Tomasz Sterna @ http://abadcafe.pl/ @ http://www.xiaoka.com/





Re: sm/router: XML parser error

2013-10-30 Thread Tomasz Sterna
Dnia 2013-10-30, śro o godzinie 10:28 -0700, Justin T Pryzby pisze:
 Thanks, I got a debug log by specifying a debug path in router.xml,
 but it doesn't say XML parser error; am I missing something from
 stderr that doesn't make it to the logfile?

This is logged in the normal, not debug log.
Check standard log to see when that happens and send me few screens of
debug log before that happened.
It should help me debug and fix your issue.





Re: sm/router: XML parser error

2013-10-27 Thread Tomasz Sterna
Dnia 2013-10-25, pią o godzinie 14:17 -0700, Justin T Pryzby pisze:
 router:
 Fri Oct 25 11:45:48 2013 [notice] error from router: XML parse error
 (junk after document element)
 That could be related to bad data in AD, but I don't believe any users
 were changed by anyone but myself, and don't see anything wrong.

Here's what I do, to debug such obscure issues:

1. rebuild jabberd with --enable-debug
2. hang router and sm on screen with -D enabled
3. wait for a crash

Usually there is an offending stanza visible right after I reattach to
the screen of crashed process.

I've caught several parser/serializer bugs using this method. 


-- 
Tomasz Sterna:(){ :|:};:
Instant Messaging ConsultantOpen Source Developer 
http://abadcafe.pl/   http://www.xiaoka.com/portfolio





  1   2   3   4   5   >