summaryrefslogtreecommitdiff
path: root/src/ejabberd_s2s_in.erl (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Update copyright datesEvgeniy Khramtsov2018-01-051-1/+1
|
* Get rid of ejabberd receiverEvgeniy Khramtsov2017-12-261-13/+11
| | | | | | | | | | | | ejabberd receivers were meant to serve connections from frontends to backends. However, this approach was not popular and frontend related code was removed in previous releases. Now, ejabberd receiver's code was also removed, making the code shorter and cleaner. Also, in stress tests ejabberd now handles load more robustly, without c2s processes overload (even with disabled shapers). ejabberd_socket.erl is renamed to xmpp_socket.erl: it's supposed to be finally moved into stand-alone xmpp library.
* Change loglevel of TLS failuresEvgeniy Khramtsov2017-12-191-2/+2
|
* Log warnings for c2s/s2s certfile optionEvgeniy Khramtsov2017-11-031-1/+3
|
* Don't let a receiver to crash if a controller is unavailableEvgeniy Khramtsov2017-06-221-1/+4
| | | | Fixes #1796
* Cosmetic change: Fix indentation errorsHolger Weiss2017-05-241-6/+6
|
* Introduce Certficate ManagerEvgeniy Khramtsov2017-05-121-1/+5
| | | | | | | | | | | | | | | | | | | | The major goal is to simplify certificate management in ejabberd. Currently it requires some effort from a user to configure certficates, especially in the situation where a lot of virtual domains are hosted. The task is splitted in several sub-tasks: * Implement basic certificate validator. The validator should check all configured certificates for existence, validity, duration and so on. The validator should not perform any actions in the case of errors except logging an error message. This is actually implemented by this commit. * All certificates should be configured inside a single section (something like 'certfiles') where ejabberd should parse them, check the full-chain, find the corresponding private keys and, if needed, resort chains and split the certficates into separate files for easy to use by fast_tls. * Options like 'domain_certfile', 'c2s_certfile' or 's2s_certfile' should probably be deprecated, since the process of matching certificates with the corresponding virtual hosts should be done automatically and these options only introduce configuration errors without any meaningful purpose.
* Don't call gen_mod:get_opt() outside of modulesEvgeniy Khramtsov2017-05-081-1/+1
|
* Add type specs for Module:opt_type/1Evgeniy Khramtsov2017-05-081-7/+15
|
* Don't validate an option in gen_mod:get*opt() functionsEvgeniy Khramtsov2017-04-301-12/+27
| | | | | | | | | | | | | | The changes are very similar to those from previous commit: * Now there is no need to pass validating function in gen_mod:get_opt() and gen_mod:get_module_opt() functions, because the modules' configuration keeps already validated values. * New functions gen_mod:get_opt/2 and gen_mod:get_module_opt/3 are introduced. * Functions gen_mod:get_opt/4 and get_module_opt/5 are deprecated. If the functions are still called, the "function" argument is simply ignored. * Validating callback Mod:listen_opt_type/1 is introduced to validate listening options at startup.
* Improve ejabberd_c2s:close()Evgeniy Khramtsov2017-04-151-1/+4
|
* Rename aux.erl as misc.erlChristophe Romain2017-04-111-2/+2
| | | | Thanks Microsoft Windows to not support some filenames
* Deprecate jlib.erl in favor of aux.erlEvgeniy Khramtsov2017-03-301-2/+2
| | | | | Since the main goal of jlib.erl is lost, all auxiliary functions are now moved to aux.erl, and the whole jlib.erl is now deprecated.
* Report more TLS errorsEvgeniy Khramtsov2017-03-081-2/+1
|
* Report some TLS errorsEvgeniy Khramtsov2017-03-071-2/+12
|
* Start/stop virtual hosts when reloading configuration fileEvgeniy Khramtsov2017-02-231-14/+23
|
* Change routing APIEvgeniy Khramtsov2017-02-161-1/+1
| | | | | | | | | | | Now 'From' and 'To' arguments must be omitted in functions and structures related to routing. The commit deprecates the following functions: ejabberd_router:route/3 in favor of ejabberd_router:route/1 ejabberd_router:route_error/4 in favor of ejabberd_router:route_error/2 ejabberd_local:route_iq/4 in favor of ejabberd_local:route_iq/2 ejabberd_local:route_iq/5 in favor of ejabberd_local:route_iq/3 The format of {route, From, To, Packet} is changed in favor of {route, Packet}
* Attach IP metadata to every stanza received from streamEvgeniy Khramtsov2017-02-141-1/+2
|
* Merge branch 'new_stream'Evgeniy Khramtsov2017-01-201-615/+281
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | Conflicts: src/cyrsasl.erl src/ejabberd_c2s.erl src/ejabberd_cluster.erl src/ejabberd_frontend_socket.erl src/ejabberd_node_groups.erl src/ejabberd_router.erl src/mod_bosh.erl src/mod_ip_blacklist.erl src/mod_muc_mnesia.erl src/mod_offline.erl src/mod_proxy65_sm.erl
| * Fix some corner cases while re-reading RFC6120Evgeniy Khramtsov2017-01-131-4/+4
| |
| * Add 'supervisor' listening optionEvgeniy Khramtsov2017-01-111-2/+7
| | | | | | | | | | | | | | | | If set to 'true' (this is the default), new processes spawned by ejabberd_listener will be attached to the corresponding supervisor. No such processes will be attached to a supervisor otherwise. Setting this to 'false' will improve performance of high loaded systems where new C2S/S2S processes are spawned very rapidly.
| * Adopt remaining code to support new hooksEvgeniy Khramtsov2017-01-091-18/+50
| |
| * More refactoring on session managementEvgeniy Khramtsov2016-12-301-4/+1
| |
| * Add xmpp_stream_out behaviour and rewrite s2s/SM codeEvgeniy Khramtsov2016-12-281-621/+253
| |
* | Update copyright date automatically (#1442)Badlop2017-01-021-1/+1
|/
* Improve namespace handlingEvgeniy Khramtsov2016-09-241-16/+2
|
* Add tests for s2s codeEvgeniy Khramtsov2016-09-231-37/+64
|
* Rename #error{} record to #stanza_error{}Evgeniy Khramtsov2016-09-081-1/+1
|
* Improve some type specsEvgeniy Khramtsov2016-08-091-19/+12
|
* Rewrite S2S and ejabberd_service code to use XML generatorEvgeniy Khramtsov2016-07-271-345/+308
|
* Disable TLS compression for s2s by defaultHolger Weiss2016-04-111-1/+1
| | | | | TLS compression is not recommended, and it's already disabled by default for c2s connections and for ejabberd_http.
* Switch to Fast XML moduleMickael Remond2016-02-031-22/+22
|
* Update copyright to 2016 (#901)Badlop2016-01-131-1/+1
|
* CVE-2016-1232: Add Dialback Key Generation and Validation support (XEP-0185)Evgeniy Khramtsov2016-01-111-3/+3
|
* Move JID related functions to jid.erl (#847)Evgeniy Khramtsov2015-11-241-13/+13
|
* Remove supervisor option, disable it for c2s and mucChristophe Romain2015-11-041-16/+3
|
* cosmetic cleanupChristophe Romain2015-10-071-38/+0
|
* Add s2s_dhfile to list of known optionsHolger Weiss2015-06-201-2/+2
|
* Add s2s_dhfile option to configuration validatorHolger Weiss2015-06-161-0/+1
|
* Merge pull request #581 from weiss/dh-param-fileAlexey Shchepin2015-06-161-2/+7
|\ | | | | New options: dhfile and s2s_dhfile
| * New options: dhfile and s2s_dhfileHolger Weiss2015-05-261-2/+7
| | | | | | | | | | Let admins specify a file that contains custom parameters for Diffie-Hellman key exchange.
* | Add config validation at startupEvgeniy Khramtsov2015-06-011-2/+31
|/
* Add compatibility macros for deprecated types (thanks to Alexey)Christophe Romain2015-02-231-1/+1
|
* Update copyright dates to 2015 (EJAB-1733)Badlop2015-01-081-1/+1
|
* Log auth method for incoming s2s connectionsHolger Weiss2014-08-051-2/+4
| | | | | | Generate an [info] message that logs whether an incoming s2s connection is authenticated using the SASL EXTERNAL mechanism or via Server Dialback. While at it, also mention whether TLS is enabled.
* Merge pull request #185 from weiss/verify-cert-for-s2s-outEvgeny Khramtsov2014-04-301-167/+6
|\ | | | | Support certificate verification for outgoing s2s connections
| * Support certificate verification for outgoing s2sHolger Weiss2014-04-281-167/+6
| | | | | | | | | | | | | | Handle "s2s_use_starttls: required_trusted" the same way for outgoing s2s connections as for incoming connections. That is, check the remote server's certificate (including the host name) and abort the connection if verification fails.
* | Don't mess with s2s out when aborting s2s inHolger Weiss2014-04-281-7/+0
| | | | | | | | | | | | | | | | | | | | | | | | Don't try to look up and close outgoing connections to a given server when aborting incoming connections from that server due to certificate verification errors. The ejabberd_s2s:find_connection/2 call actually created one or more *new* connections if less than 'max_s2s_connections' connections were found. Then, no more than one of those possibly new connections were stopped by the ejabberd_s2s_out:stop_connection/1 call. It's not really necessary to bother with outgoing connections at all, here.
* | Send stream trailer before closing s2s connectionHolger Weiss2014-04-271-2/+3
|/ | | | | When aborting an incoming s2s connection due to certificate verification errors, send a stream trailer before closing the socket.
* Verify host name before offering SASL EXTERNALHolger Weiss2014-04-231-66/+74
| | | | | | | | | | | | | | | | | | | | | | | | Prior to this commit, ejabberd handled certificate authentication for incoming s2s connections like this: 1. Verify the certificate without checking the host name. On failure, behave according to 's2s_use_starttls'. On success: 2. Offer SASL EXTERNAL. 3. If the remote server chooses SASL EXTERNAL, compare the authorization identity against the certificate host name(s). On failure, abort the connection unconditionally. ejabberd now does this instead: 1. Verify the certificate and compare the certificate host name(s) against the 'from' attribute of the stream header. On failure, behave according to 's2s_use_starttls'. On success: 2. Offer SASL EXTERNAL. 3. If the remote server chooses SASL EXTERNAL, ignore the authorization identity (if any) and consider the peer authenticated. The old behavior was suggested by previous versions of XEP-0178, the new behavior is suggested by the current version 1.1.
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-13 00:40:43 +0000