| Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
|
|
Don't accept loopback addresses as TURN peers by default. This makes
sure the TURN service won't allow remote clients to access local UDP
services.
However, this will break the case where the 'turn_ipv4_address' was set
to 127.0.0.1 as fallback and TURN worked "by accident" if both clients
were using the same TURN service. The service then talked to itself on
the loopback interface.
|
|
The 'stun' application now rejects Teredo and 6to4 TURN peers
unconditionally. Therefore, remove those networks from the default
'turn_blacklist'.
|
|
Don't overwrite the Logger filter added by the 'stun' application (which
appends metadata to STUN/TURN log messages).
Closes processone/stun#31.
|
|
Update 'stun' dependency, and drop the info/debug messages now logged by
the 'stun' application if OTP's new logging API is used.
|
|
The 'turn_ipv4_address' and 'turn_ipv6_address' option names are
probably more intuitive.
|
|
The new 'turn_blacklist' listener option allows for specifying one or
more IP addresses and/or subnet addresses/masks. The TURN server will
refuse to relay traffic from/to blacklisted IP addresses. By default,
Teredo and 6to4 addresses are blacklisted, as mandated by RFC 6156
(section 9.1).
|
|
Also announce local STUN/TURN services listening on IPv6 sockets (unless
the 'offer_local_services' option is set to 'false').
|
|
The stun application now supports RFC 6156: TURN Extension for IPv6, and
therefore needs separate IPv4 and IPv6 relay addresses.
|
|
The stun application now allows IPv6 clients to perform STUN requests
and to allocate TURN relays.
|
|
These days, STUN/TURN authentication can be performed with ephemeral
credentials, where the REALM is irrelevant. Therefore, just log an
[info] message rather than a [warning] in the case where no
authentication REALM is configured but multiple virtual domains exist.
|
|
The 'turn_ip' option validator doesn't accept an inet:ip4_address()
tuple.
While at it, change the logic to only perform the fallback address
lookup if no 'turn_ip' is configured (analogous to the fallback
mechanism for the case where the 'auth_realm' is undefined).
|
|
Don't crash when STUN/TURN authentication is performed against a
SCRAM-hashed password.
|
|
Add a hook that allows modules to offer a password for STUN/TURN
authentication.
|
|
Try to resolve the local hostname, use the result as the default
'turn_ip', and only log a warning if that fails. Using the local
hostname's address by default is analogous to mod_proxy65's behavior.
|
|
|
|
|
|
|
|
This will prevent conflicts in callback names in mod_mqtt
Old callback function is still supported.
|
|
|
|
Fixes #2621
|
|
|
|
|
|
|
|
|
|
The header consisted of too many unrelated stuff and macros misuse.
Some stuff is moved into scram.hrl and type_compat.hrl.
All macros have been replaced with the corresponding function calls.
TODO: probably type_compat.hrl is not even needed anymore since
we support only Erlang >= OTP 17.5
|
|
|
|
The options "inet", "inet6" and "backlog" are valid listen options, but are
currently logged as errors (even though they do work):
2018-02-28 16:08:44.141 [error] <0.338.0>@ejabberd_listener:validate_module_option:630 unknown listen option 'backlog' for 'ejabberd_c2s' will be likely ignored, available options are: access, shaper, certfile, ciphers, dhfile, cafile, client_cafile, protocol_options, tls, tls_compression, starttls, starttls_required, tls_verify, zlib, max_fsm_queue
This adds the necessary validators so they are correctly recognized.
|
|
|
|
This commit also deprecates `certfile` option for ejabberd_http
listener.
|
|
|
|
STUN/TURN and SIP is not compiled by default anymore.
Use --enable-stun, --enable-sip or --enable-all to enable them.
|
|
The major goal is to simplify certificate management in ejabberd.
Currently it requires some effort from a user to configure certficates,
especially in the situation where a lot of virtual domains are hosted.
The task is splitted in several sub-tasks:
* Implement basic certificate validator. The validator should check all
configured certificates for existence, validity, duration and so on. The
validator should not perform any actions in the case of errors except
logging an error message. This is actually implemented by this commit.
* All certificates should be configured inside a single section (something
like 'certfiles') where ejabberd should parse them, check the full-chain,
find the corresponding private keys and, if needed, resort chains and
split the certficates into separate files for easy to use by fast_tls.
* Options like 'domain_certfile', 'c2s_certfile' or 's2s_certfile' should
probably be deprecated, since the process of matching certificates with the
corresponding virtual hosts should be done automatically and these options
only introduce configuration errors without any meaningful purpose.
|
|
|
|
|
|
The changes are very similar to those from previous commit:
* Now there is no need to pass validating function in
gen_mod:get_opt() and gen_mod:get_module_opt() functions,
because the modules' configuration keeps already validated values.
* New functions gen_mod:get_opt/2 and gen_mod:get_module_opt/3 are
introduced.
* Functions gen_mod:get_opt/4 and get_module_opt/5 are deprecated.
If the functions are still called, the "function" argument is
simply ignored.
* Validating callback Mod:listen_opt_type/1 is introduced to validate
listening options at startup.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
