Tigase XMPP Server Board

Tigase server administration: RE: Tigase BOSH Secure Connections

Tue, 10/28/2014 - 11:17

Hi When I do the below command, I can see the CA certificate properly. But the port is 443, Do I need to set my BOSH SSH port to 443 instead of 5281?

$ openssl s_client tls1 -connect chat.my-doc.com:443
*CONNECTED
depth=3 C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority
verify return:1
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = *.my-doc.com
verify return:1
--
Certificate chain
0 s:/OU=Domain Control Validated/CN=
.my-doc.com
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
1 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
i:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
2 s:/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./CN=Go Daddy Root Certificate Authority - G2
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
3 s:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
i:/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFHTCCBAWgAwIBAgIHBHsWbM77qTANBgkqhkiG9w0BAQsFADCBtDELMAkGA1UE
BhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAY
BgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMS0wKwYDVQQLEyRodHRwOi8vY2VydHMu
jC30bymnByOPbeOKOayT39VKTU+0dSBMw/FGFON8mzkGIMqGWaKS5FEj4RAsAQ1
I0rY1E9aXjg4YNxhO24z6OXsdRgUKDH16+vM4dnTdNlHN50qlbdwQOi3PEQbq086
W410XCD+2psLCdCSH9AY6Fk+8MB8JiLWJaWEgJ+1zIYlot9NlydOFsjtluxb18C4
jp7Cy1vvlcmiCu/KwKh+Ll4ExL+SmsiUGahNxqekJmoCpyt7XgCj3ioc4ODzd9pR
VE9wo6ZmvpEV2AWqkMsmX6A=
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=*.my-doc.com
issuer=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 5404 bytes and written 289 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID: 98870E2AE5ED5786738A33AF4EF98ACD30345D645BD7D36A1593B89231213BB8
Session-ID-ctx:
Master-Key: 408D64E94E6F568AF3BW2342342K3J42L3J425F82BD96E6587228205483SDFADFASDFASAAAAAA
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - ee 73 b0 6e f7 e9 5b 28-2c 74 a3 2e 8f 8b 2a 3a .s.n..[(,t....*:
0010 - 07 19 40 79 8f 7e a7 18-86 7f 1f 24 ff a3 9c 7b ..@..~.....$...{
0020 - 94 4e 1a td bf a9 e1 82-e2 ff b8 5b 6c 5c f9 43 .N.........[l\.C
0090 - ab 33 62 ca a0 92 88 4d-09 02 10 09 fa 4d 3e 36 .3b....M.....M>6

Start Time: 1414519873
Timeout : 7200 (sec)
Verify return code: 0 (ok)

Any clues please.

Regards
Khaleel

Categories: Tigase Forums

Tigase server administration: RE: Tigase BOSH Secure Connections

Tue, 10/28/2014 - 10:51

Hi Wojciech Kapcia,

I have the similar issue. when I try to do the

[ec2-user@ip-10-146-138-237 certs]$ openssl s_client connect chat.my-doc.com:5281
CONNECTED
140103216277320:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
--
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 247 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

When I check ed the certificates in the certs folder there are already Tigase server created PEM file. why I am not able to make the handshake?

[ec2-user@ip-10-146-138-237 certs]$ ls
54.251.87.63.pem 54.255.71.55.pem chat.my-doc.com.pem rsa-keystore truststore

Any suggestion is helpful. How can I generate a new certificate from Tigase server to my domain name chat.my-doc.com ?

Regards
Khaleel

Categories: Tigase Forums

Tigase server development: RE: Packet changed once in addOutPacket()?

Tue, 10/28/2014 - 09:49

Andrzej Wójcik wrote:

I think that your interpretation of Implementation Note is correct but in same RFC6120 in 10.5.3.2 there is described a way how server should process stanza which contains bare jid in to attribute depending on type of stanza.

If the JID contained in the 'to' attribute is of the form <localpart@domainpart>, how the stanza is processed depends on the stanza type.

  • For a message stanza, if there exists at least one connected resource for the account then the server SHOULD deliver it to at least one of the connected resources. If there exists no connected resource then the server MUST either (a) store the message offline for delivery when the account next has a connected resource or (b) return a <service-unavailable/> stanza error (Section 8.3.3.19).
  • For a presence stanza, if there exists at least one connected resource that has sent initial presence (i.e., has a "presence session" as defined in [XMPP‑IM]) then the server SHOULD deliver it to such resources. If there exists no connected resource then the server SHOULD ignore the stanza (or behave as described in [XMPP‑IM]).
  • For an IQ stanza, the server MUST handle it directly on behalf of the intended recipient.

This forces server to process this stanza and handle it if possible but also forces server to block delivery of this packet.

Yes, that sounds correct of IQ stanzas, agreed. However, PacketDefaultHandler doesn't differentiate between stanza types, although you can argue that you're taking the SHOULD part in the spec and decideing not to implement it.

Categories: Tigase Forums

Tigase server development: RE: getComponentId() issue

Tue, 10/28/2014 - 09:34

I created a bug report for this since the virtual host config has already been read at this point and thus it should be availiable:

https://projects.tigase.org/issues/2423

Categories: Tigase Forums

Tigase server development: RE: Packet changed once in addOutPacket()?

Tue, 10/28/2014 - 09:12

I think that your interpretation of Implementation Note is correct but in same RFC6120 in 10.5.3.2 there is described a way how server should process stanza which contains bare jid in to attribute depending on type of stanza.

If the JID contained in the 'to' attribute is of the form <localpart@domainpart>, how the stanza is processed depends on the stanza type.

  • For a message stanza, if there exists at least one connected resource for the account then the server SHOULD deliver it to at least one of the connected resources. If there exists no connected resource then the server MUST either (a) store the message offline for delivery when the account next has a connected resource or (b) return a <service-unavailable/> stanza error (Section 8.3.3.19).
  • For a presence stanza, if there exists at least one connected resource that has sent initial presence (i.e., has a "presence session" as defined in [XMPP‑IM]) then the server SHOULD deliver it to such resources. If there exists no connected resource then the server SHOULD ignore the stanza (or behave as described in [XMPP‑IM]).
  • For an IQ stanza, the server MUST handle it directly on behalf of the intended recipient.

This forces server to process this stanza and handle it if possible but also forces server to block delivery of this packet.

Categories: Tigase Forums

Tigase server development: RE: Packet changed once in addOutPacket()?

Tue, 10/28/2014 - 08:53

Should I file a bug report?

Categories: Tigase Forums

Tigase server development: RE: Packet changed once in addOutPacket()?

Tue, 10/28/2014 - 08:37

Wojciech Kapcia wrote:

Tigase simply follows specification in this aspect.

Ok, we must be interpreting the specification differently, I read:

Implementation Note: It is the server's responsibility to deliver only stanzas that are addressed to the client's full JID or the user's bare JID; thus, there is no need for the client to check the 'to' address of incoming stanzas. However, if the client does check the 'to' address then it is suggested to check at most the bare JID portion (not the full JID), since the 'to' address might be the user's bare JID, the client's current full JID, or even a full JID with a different resourcepart

(http://xmpp.org/rfcs/rfc6120.html#stanzas-attributes-to-c2s)

to mean: the server must also support sending to the user's bare JID and thus send to all the connected resources if it is a bare JID.

Categories: Tigase Forums

Tigase server administration: RE: Tigase BOSH Secure Connections

Tue, 10/28/2014 - 08:37

Thanks a lot Wojciech.

Works perfectly :)

Categories: Tigase Forums

Tigase server development: RE: Packet changed once in addOutPacket()?

Tue, 10/28/2014 - 08:28

Tigase simply follows specification in this aspect.

Categories: Tigase Forums

Tigase server administration: RE: Tigase BOSH Secure Connections

Tue, 10/28/2014 - 08:27

Basically you are using a self-signed certificate therefore there is warning in the browser - you can either add it to trusted or obtain certificate from trusted CA.

Categories: Tigase Forums

Tigase server development: RE: Packet changed once in addOutPacket()?

Tue, 10/28/2014 - 08:26

Wojciech Kapcia wrote:

As per 16. How Packets are Processed by the SM and Plugins - if there are no (pre/post)processors then the default packet handler will be used. Simply implement plugin that will forward your IQ to all resources without strict checking for resource.

Ok, thanks.

It should be mentioned somewhere that Tigase does not support this out of the box.

Categories: Tigase Forums

Tigase server administration: RE: Tigase BOSH Secure Connections

Tue, 10/28/2014 - 08:20

Hi Wojciech,

I have verified the following ssl handshake.

I am still getting the same error as before. Should I also add the certificate into the trusted certificates list in my browser ?

Attached is the screenshot of the same.

Regards,
Prashanth

Categories: Tigase Forums

Tigase server development: RE: Packet changed once in addOutPacket()?

Tue, 10/28/2014 - 08:16

As per 16. How Packets are Processed by the SM and Plugins - if there are no (pre/post)processors then the default packet handler will be used. Simply implement plugin that will forward your IQ to all resources without strict checking for resource.

Categories: Tigase Forums

Tigase server administration: RE: Tigase BOSH Secure Connections

Tue, 10/28/2014 - 08:11

The main question is - where do you place your certificate? For xmpp legacy socket connection and ssl bosh you need to place it in certs/default.pem. From provided logs it looks like you are using only this file.

Can you verify, that correct certificate is being served by Tigase?
openssl s_client -connect localhost:5280

Categories: Tigase Forums

Tigase server development: RE: Packet changed once in addOutPacket()?

Tue, 10/28/2014 - 08:02

I can confirm this is what is happening with my component...

Categories: Tigase Forums

Tigase server administration: RE: Mysql: Encryption of passwords in tig_users table

Tue, 10/28/2014 - 07:58

One option, that would require using SASL-PLAIN would be enabling MD5 password hashing in the database:
call TigPutDBProperty('password-encoding', <hashing>);
where <hashing> can be one of the following: 'MD5-PASSWORD', 'MD5-USERID-PASSWORD', 'MD5-USERNAME-PASSWORD'.

An alternative would be using SCRAM.

Categories: Tigase Forums

Tigase server development: RE: Packet changed once in addOutPacket()?

Tue, 10/28/2014 - 07:51

Wojciech Kapcia wrote:

Have you tried following your packet in the logs (with debug=server,xmpp)? It's hard to tell why your packet would be converted to error from the scarce information you provide. Can you also share example packet that you are trying to send as well as response generated by Tigase?

Ok, I think I found the issue, I tried to use the EchoComponent to see if it worked and it didn't either, however I saw the error (not sure how I missed it before, probably since the XML I am sending back from my component is quite big), anyways, I traced the error message("The feature is not supported yet.") to the PacketDefaultHandler class :

if (resource == null) { // In default packet handler we deliver packets to a specific resource only ... }

and my component is not setting the resource since I want to send it to all of a user's connected sessions. The thing is PacketDefaultHandler
doesn't implement any interfaces and the session manager expects this class, thins makes me think that it swapping the packet handler is not supported, is this correct?

Thanks

Categories: Tigase Forums

Tigase server development: RE: Packet changed once in addOutPacket()?

Tue, 10/28/2014 - 07:47

Have you tried following your packet in the logs (with debug=server,xmpp)? It's hard to tell why your packet would be converted to error from the scarce information you provide. Can you also share example packet that you are trying to send as well as response generated by Tigase?

Categories: Tigase Forums

Tigase server development: RE: Packet changed once in addOutPacket()?

Tue, 10/28/2014 - 07:10

I think I can safely say my packet is never sent, I used a low level XMPP debugger as the client and it never receives the msg. The server however thinks is receives an error reply.

Categories: Tigase Forums

Tigase server development: Packet changed once in addOutPacket()?

Tue, 10/28/2014 - 06:09

Hi all,

I have a strange issue and it is making me go crazy...I receive a packet (iq element with type="get") from a user and process it in my component and generate a reply (iq element with type="result"). I put the resulting packet in the out queue using addOutPacket(). I debugged it all the way down and my packet is as I created it. I get to this line in AbstractMessageReceiver:

out_queues.get(queueIdx).put(packet, packet.getPriority().ordinal())

and the strange things start happening...lets say that queueIdx = 0 and packet.getPriority().ordinal() = 3, once this line executes my packet is not in out_queues.get(0).get(3)... then I continue executing the code and I reach this line in QueueListener:

packet = queue.take();

and my packet now has a type="error" and the to/from fields were swapped (the rest is the same)... can someone please explain what is going on?

Thanks,
Gabriel

Categories: Tigase Forums

Pages

Get in touch

We provide software products, consulting and custom development services

Tigase, Inc.
100 Pine Street, Suite 1250
San Francisco, CA 94111, USA
Phone: (415) 315 9771

Follow us on:

Twitter

  • Our public servers are tigase.im, sure.im, jabber.me. Create a new account in Tigase Messenger and select one of them http://t.co/PS6geOU8QD 4 days 16 hours ago
  • Using a public server at sure.im, tigase.im, jabber.me receive special optimizations for Tigase Messenger. http://t.co/jipOgWbX3g 1 week 9 hours ago
Back to Top