Tigase XMPP Server Board

API and development: RE: Problem with Stream Management

Wed, 04/20/2016 - 08:37

Hello everyone.
We had the same problem with losing messages on Wi-fi disconnect, so we've enabled Stream Management on server (Tigase version 7.0.2) with the following properties:
--sm-plugins = +message-archive-xep-0136,-message-carbons,-amp,+msgoffline,+message c2s/watchdog_delay[L]=60000 c2s/watchdog_timeout[L]=60000 c2s/max-inactivity-time[L]=60 c2s/processors[s]=urn:xmpp:sm:3
If we understood Andrzej Wójcik correctly, messages sent to fullJid should not be stored in offline database. However, there are 2 rows in tig_pairs table and messages are delivered twice when user becomes online:

<message id="aadea" to="/mobile" xmlns="jabber:client" from="/MWW-212" type="chat">
<body>1</body><active xmlns="http://jabber.org/protocol/chatstates"/><delivery-error xmlns="http://tigase.org/delivery-error"/><delay xmlns="urn:xmpp:delay" stamp="2016-04-20T15:08:07.033Z" from="domain.net">Offline Storage - mww-212.company.com</delay></message>

<message id="aadea" to="" xmlns="jabber:client" from="/MWW-212" type="chat">
<body>1</body><active xmlns="http://jabber.org/protocol/chatstates"/><delay xmlns="urn:xmpp:delay" stamp="2016-04-20T15:08:07.037Z" from="domain.net">Offline Storage - mww-212.company.com</delay></message>

Could you please suggest how we can fix this?

Categories: Tigase Forums

API and development: RE: Privacy Lists: mutual blocking

Wed, 04/20/2016 - 07:01

Checked 7.0.3 and still have this issue

and I found one thing in code, why it works this way

class JabberIqPrivacy, method allow

you have the following code:

JID jid = packet.getStanzaFrom(); boolean packetIn = true; if ((jid == null) || sessionUserId.equals(jid.getBareJID())) { jid = packet.getStanzaTo(); packetIn = false; }

so, for example, User1 has User2 in his privacy list
then User1 sends a message to User2.
so this messages comes to JabberIqPrivacy.filter method on the User1's side

and then above jid variable becomes packet.getStanzaTo() (User2).
And because a 'User2' record is in the User1's list, so this message will be removed inside JabberIqPrivacy.filter method.

That's my investigation

Categories: Tigase Forums

API and development: RE: Privacy Lists: mutual blocking

Wed, 04/20/2016 - 01:55

If I remember correctly you are using some custom code? Can you try running this use case against vanilla Tigase first just to rule this out?

Categories: Tigase Forums

API and development: RE: Privacy Lists: mutual blocking

Wed, 04/20/2016 - 01:46

It doesn't work like that on my side
let me check again

Categories: Tigase Forums

API and development: RE: Privacy Lists: mutual blocking

Wed, 04/20/2016 - 01:41

Linked specification applies only to inbound stanzas:

If a blocked entity attempts to send a stanza to the user (i.e., an inbound stanza from the user's perspective), the user's server shall handle the stanza according to the following rules:

And Tigase follows it - if User1 blocks User2 only User2 will receive the error and User1 will still be able to send messages to User2 - the only exception is presence which defines both presence-in and presence-out.

I've just tested it and it works like described.

Categories: Tigase Forums

API and development: Privacy Lists: mutual blocking

Tue, 04/19/2016 - 00:21

Hi there,

I realised that Privacy Lists performs mutual blocking

for example, User1 blocked User2.
now User1 sends a message to User2 and receives an error

I didn't find any information regarding this case http://xmpp.org/extensions/xep-0016.html
There is only information regarding "*Blocked* Entity Attempts to Communicate with User" http://xmpp.org/extensions/xep-0016.html#protocol-error

did you intentionally add it?

Categories: Tigase Forums

API and development: RE: XEP-0184/receipts with MUC messages.

Sun, 04/17/2016 - 23:10

That's actually the intended functionality. Thank you! :D

Categories: Tigase Forums

Installation and maintenance: RE: BOSH + 0198

Fri, 04/15/2016 - 04:21

This is because there is no support for stream management over BOSH connection.

Clint XMPP connection uses single TCP connection, same as WebSocket connection and it supports Stream Management as there is a single TCP connection which can be detected if it is broken or not.

BOSH however uses many TCP/HTTP connections and if any packet will not be delivered to server then connection should be closed - every requests needs to have proper rid attribute value. This detection is part of BOSH protocol. But it is almost impossible to detect if one of connection was lost and data to client was not delivered - even for client. Due to that there is no implementation of Stream Management for BOSH.

Categories: Tigase Forums

Installation and maintenance: RE: Wildcard SSL Cert

Fri, 04/15/2016 - 04:18

You may be right on Psi issue, we can connect with SWIFT xmpp client and it shows cert is valid. We will try to connect with our client and see. Thanks.

Categories: Tigase Forums

Installation and maintenance: BOSH + 0198

Fri, 04/15/2016 - 04:03

Is it relevant to use enabling stream management & send ack elements over the stream in bosh connection? we have web client using bosh, but when we send <enabled xmlns='urn:xmpp:sm:3'/> server returns feature-not-implemented.

Categories: Tigase Forums

Installation and maintenance: RE: Wildcard SSL Cert

Thu, 04/14/2016 - 06:12

bala kumar wrote:

yes #3670, unfortunately jdk.tls.ephemeralDHKeySize is not available in oracle jdk7u79. I am using tigase 7.0.0.

In general we recommend using Java8 (it's required for Tigase 7.1.x).

Have you tried other clients or testing the server against available test tools? It's possible that this is Psi issue.

Categories: Tigase Forums

Installation and maintenance: RE: Wildcard SSL Cert

Thu, 04/14/2016 - 04:51

I managed to get jdk7u85 to address this issue. Thanks.

My PSI client is still showing Invalid Signature issue. Below is my init properties config,

--virt-hosts = dev.mycompany.net
--ssl-def-cert-domain = dev.mycompany.net
--vhost-tls-required = true
basic-conf/virt-hosts-cert-*.mycompany.net = /opt/tigase-7.0.0/certs/mycompany.net.pem

PEM file contains wildcard ssl cert, private key, GlobalSign Organization Validation CA - SHA256 - G2 cert, GlobalSign Root CA - in the same order.

Anything wrong in my configuration? I am connecting to port 5222.

Categories: Tigase Forums

Installation and maintenance: RE: Wildcard SSL Cert

Thu, 04/14/2016 - 04:32

yes #3670, unfortunately jdk.tls.ephemeralDHKeySize is not available in oracle jdk7u79. I am using tigase 7.0.0.

Categories: Tigase Forums

Installation and maintenance: RE: Wildcard SSL Cert

Thu, 04/14/2016 - 01:12

If you're talking about #3670, then is is fixed already.

Categories: Tigase Forums

Installation and maintenance: RE: Wildcard SSL Cert

Thu, 04/14/2016 - 01:07

Which test-tool do you use? We base ours on XMPP Observatory: https://xmpp.net/result.php?domain=tigase.org&type=client

Categories: Tigase Forums

Installation and maintenance: RE: Wildcard SSL Cert

Thu, 04/14/2016 - 00:44

Thanks. --hardened-mode solve RC4 issue, but report still shows server supports insecure Diffie-Hellman (DH) key exchange parameters (Logjam)

Anything I can do about this?

Categories: Tigase Forums

Installation and maintenance: RE: Wildcard SSL Cert

Wed, 04/13/2016 - 02:34

--hardened-mode :

Enabling hardened mode affects handling of security aspects within Tigase. It turns off workarounds for SSL issues, turns off SSLv2 and forces enabling more secure ciphers suites. It also forces requirement of StartTLS.
Enabling it requires UnlimitedJCEPolicyJDK installed. We prefer to use OracleJDK as our tests revealed that using OpenJDK in hardened mode may cause issues with some clients on some platforms.

Categories: Tigase Forums

Installation and maintenance: RE: Wildcard SSL Cert

Wed, 04/13/2016 - 00:09

Thanks for the reply. SSL report shows lot of vulnerabilities like,

This server supports insecure Diffie-Hellman (DH) key exchange parameters (Logjam). Grade set to F.
This server uses RC4 with modern protocols. Grade capped to C.
The server does not support Forward Secrecy with the reference browsers.

Can you advice how to disable weak Cipher Suites, support forward secrecy, use a 2048-bit Diffie-Hellman.

Thanks.

Categories: Tigase Forums

API and development: RE: XEP-0184/receipts with MUC messages.

Mon, 04/11/2016 - 11:39

As described in 5.3: When to Request Receipts - Groupchat:

It is NOT RECOMMENDED to request a receipt when sending a content message of type "groupchat" in a Multi-User Chat (XEP-0045) [7] room because the logic for determining when a content message is truly "received" by all of the room occupants is complex, and because the sender would receive one ack message from each occupant of the room, thus significantly increasing the number of stanzas sent through the room.

Tigase MUC by default filters elements in <message/> stanzas hence receipts requests/responses are not include. You can disable the filtering with following option included in etc/init.properties:
muc/message-filter-enabled[B]=false

Categories: Tigase Forums

Installation and maintenance: RE: Wildcard SSL Cert

Mon, 04/11/2016 - 11:34

Tigase supports wildcard certificates but you have to either put them in the filename matching VHohst (domain) or configure wildcard VHost in etc/init.properties:
basic-conf/virt-hosts-cert-*.tigase.org=/home/tigase/tigase-server/certs/tigase.org.pem

Categories: Tigase Forums

Pages

Get in touch

We provide software products, consulting and custom development services

Tigase, Inc.
100 Pine Street, Suite 1250
San Francisco, CA 94111, USA
Phone: (415) 315 9771

Follow us on:

Twitter

  • A new maintenance release of Tigase XMPP Server has been released, now v7.0.4. Check out the release notes here: https://t.co/7Rqjng8v1K 6 days 12 hours ago
  • Tigase XMPP Server supports REST integration out of the box, see https://t.co/56fnwwT88N for setup and useage details. 1 week 1 day ago
Back to Top