secure only

I am new to the whole jabber thing.
I've managed to get ejabberd setup, running and all that, all seems to work fine.
Now I've been recommended to make it so that all communications are secured, using TLS or whatever.

What's the best way to go about that?

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

nasht00 wrote: I am new to

nasht00 wrote:

I am new to the whole jabber thing.
I've managed to get ejabberd setup, running and all that, all seems to work fine.
Now I've been recommended to make it so that all communications are secured, using TLS or whatever.

What's the best way to go about that?

Edit ejabberd.cfg, and make sure the listener ejabberd_c2s has the option starttls or starttls_required

In the clients, enable encryption (sometimes called TLS, or STARTTLS).

same request

I also have the same request for the ejabberd server to allow only encrypted sessions. I have tried setting the ejabberd_c2s listener to starttls and starttls_required. Neither seem to allow starttls connection. My client is Psi. I have tried the Psi setting "Encrypt conection: When available" and with the value "always" with no luck.

listener config:

{listen,
[

  {5222, ejabberd_c2s, [
                        {certfile, "/opt/ejabberd-2.1.5/conf/server.pem"}, starttls,
                        {access, c2s},
                        {shaper, c2s_shaper},
                        {max_stanza_size, 65536}
                       ]},

connection log file output:

=INFO REPORT==== 2010-09-20 11:00:43 ===
I(<0.381.0>:ejabberd_listener:232) : (#Port<0.482>) Accepted connection {{xxx.xxx.xxx.xxx},1663} -> {{192,168,250,35},5222}

=ERROR REPORT==== 2010-09-20 11:00:43 ===
** State machine <0.410.0> terminating
** Last event in was {xmlstreamelement,
                         {xmlelement,"starttls",
                             [{"xmlns","urn:ietf:params:xml:ns:xmpp-tls"}],
                             []}}
** When State == wait_for_feature_request
**      Data  == {state,{socket_state,gen_tcp,#Port<0.482>,<0.409.0>},
                        ejabberd_socket,#Ref<0.0.0.10116>,false,"1329861660",
                        {sasl_state,"jabber","commsw2.example.com",[],
                                    #Fun<ejabberd_c2s.1.30334249>,
                                    #Fun<ejabberd_c2s.2.32721014>,
                                    #Fun<ejabberd_c2s.3.7052687>,undefined,
                                    undefined},
                        c2s,c2s_shaper,false,true,false,false,
                        [verify_none,
                         {certfile,"/opt/ejabberd-2.1.5/conf/server.pem"}],
                        false,undefined,[],"commsw2.example.com",[],
                        undefined,
                        {pres_t,0},
                        {pres_f,0},
                        {pres_a,0},
                        {pres_i,0},
                        undefined,undefined,undefined,false,
                        {userlist,none,[],false},
                        unknown,unknown,
                        {{xxx.xxx.xxx.xxx},1663},
                        "en"}
** Reason for termination =
** {{case_clause,{error,{open_error,-10}}},
    [{tls,tcp_to_tls,2},
     {ejabberd_socket,starttls,3},
     {ejabberd_c2s,wait_for_feature_request,2},
     {p1_fsm,handle_msg,10},
     {proc_lib,init_p,5}]}

ditto

This is *EXACTLY* my problem. I'm using 2.1.15 on 32 bit Centos.

I've been trying for about twelve man-hours now to get ejabberd to work with encryption.

Ejabberd works without encryption - but if I have any kind of encyption option active, I get {open_error,-10}.

Elsewhere on the web, this was thought perhaps to be a problem finding tls_drv.so.

This file is in the correct location (./lib/ejabberd-2.1.5/priv/linux-x86/lib/tls_drv.so) and has the correct permissions (installed as use ejabberd in its home directly).

It is not apparent what is going wrong or why.

I have tried setting LD_LIBRARY_PATH for user ejabberd (to be the absolute path to the tls_drv.so file); this does not fix the problem.

Is anyone out there actually using encryption with 2.1.15?

Re

Toby wrote:
I'm using 2.1.15 on 32 bit Centos. Is anyone out there actually using encryption with 2.1.15?
You are the only person on this earth that have ejabberd 2.1.15.
Toby wrote:
Ejabberd works without encryption - but if I have any kind of encyption option active, I get {open_error,-10}. Elsewhere on the web, this was thought perhaps to be a problem finding tls_drv.so. This file is in the correct location (./lib/ejabberd-2.1.5/priv/linux-x86/lib/tls_drv.so) and has the correct permissions (installed as use ejabberd in its home directly).
TLS works for me. When I delete that file, I get the open_error -10 you both mentioned. If you use a precompiled *.so, maybe it was compiled for a different architecture, or for a different OpenSSL library.

Well, I'm about out. I've

Well, I'm about out.

I've updated to the latest OpenSSL for my platform.

I've tried making a new server.pem, just in case it was that.

Nothing changed.

So - I have an error message, "-10", where I don't know actually what it means. The tls_drv.so file is present - removing it apparently gives "-10" as well. So maybe it's linked against a different OpenSSL version that I have installed. But there's no error information - so... on the guess that it might be an OpenSSL version problem, I spend time guessing which version I'm supposed to have?

I can't make progress. There's no meaningful error information.

I downloaded the source, but the problem there of course is that I then need to install a bunch of other stuff - like an Erlang compiler - to have a go at compiling. I've spent about 15 man-hours so far trying to make this work. Figuring out how to compile Erlang is not on the menu.

So, last try - anyone out there who *does* have SSL/TLS working, what version of OpenSSL do you have installed?

My openssl version; try to load tls_drv manually

Toby wrote:

I downloaded the source, but the problem there of course is that I then need to install a bunch of other stuff - like an Erlang compiler - to have a go at compiling. I've spent about 15 man-hours so far trying to make this work. Figuring out how to compile Erlang is not on the menu.

Compiling Erlang/OTP is the hardest part (it has several dependencies), and takes 1 hour to compile). If your distribution had some compatible Erlang packages, that would save you 95% of the work.

Compiling ejabberd is later rather easy (it only requires erlang and a few more dependencies), and takes 1 minute to compile.

Toby wrote:

So, last try - anyone out there who *does* have SSL/TLS working, what version of OpenSSL do you have installed?

I've installed ejabberd 2.1.5 Linux 32bit installer (ejabberd-2.1.5-linux-x86-installer.bin) in my machine, all default configuration and files. Then I login with the typical TLS encryption + SASL auth.

ejabberd.log:

=INFO REPORT==== 2010-09-24 17:01:04 ===
I(<0.394.0>:ejabberd_listener:232) : (#Port<0.470>) Accepted connection {{127,0,0,1},35424} -> {{127,0,0,1},5222}

=INFO REPORT==== 2010-09-24 17:01:05 ===
I(<0.406.0>:ejabberd_c2s:716) : ({socket_state,tls,{tlssock,#Port<0.470>,#Port<0.475>},<0.405.0>})
 Accepted authentication for badlop by ejabberd_auth_internal

=INFO REPORT==== 2010-09-24 17:01:05 ===
I(<0.406.0>:ejabberd_c2s:839) : ({socket_state,tls,{tlssock,#Port<0.470>,#Port<0.475>},<0.405.0>})
 Opened session for badlop@localhost/tkabber

System and library info:

$ uname -a
Linux dolmin 2.6.32-1-686 #1 SMP Mon Feb 1 01:37:26 UTC 2010 i686 GNU/Linux

$ openssl version
OpenSSL 0.9.8o 01 Jun 2010

$ aptitude show libssl0.9.8
...
Version: 0.9.8o-2

$ cat /etc/apt/sources.list | grep "^deb"
deb http://ftp.fr.debian.org/debian sid main contrib non-free

Another idea is to try to load the library manually, using the same calls that ejabberd does, and trying different ways. I start ejabberd interactively, and then I make some calls:

$ ejabberdctl live
...

(ejabberd@localhost)1> Path = os:getenv("EJABBERD_SO_PATH").
"//lib/ejabberd/priv/lib"

(ejabberd@localhost)2> erl_ddll:load_driver(Path, tls_drv).
ok

(ejabberd@localhost)3> erl_ddll:load_driver(Path, tls_drv).
ok

(ejabberd@localhost)4> erl_ddll:load_driver("/tmp/123", tls_drv).
{error,bad_driver_name}

(ejabberd@localhost)5> erl_ddll:load_driver("/lib/ejabberd/priv/lib", tls_drv).
{error,bad_driver_name}

(ejabberd@localhost)6> erl_ddll:load_driver("//lib/ejabberd/priv/lib", tls_drv).
ok

(ejabberd@localhost)9> erl_ddll:load_driver("////lib/ejabberd/priv/lib", tls_drv).
{error,bad_driver_name}

(ejabberd@localhost)11> erl_ddll:load_driver("//lib/ejabberd/priv/", tls_drv).
{error,bad_driver_name}

(ejabberd@localhost)13> erl_ddll:load_driver("//lib/ejabberd/priv/lib", expat_erl).
ok

(ejabberd@localhost)14> erl_ddll:load_driver("//lib/ejabberd/priv/lib", xml).
{error,no_driver_init}

(ejabberd@localhost)15> erl_ddll:load_driver("//lib/ejabberd/priv/lib", tls_drvaaaa).
{error,{open_error,-10}}

Let's hope this allows you to perform more fine-grained testing and detect what exactly is the problem.

Thanks for this. I had the

Thanks for this. I had the exact same problem: I couldn't make the starttls to work with ejabberd-2.1.10 (downloaded from the http://www.process-one.net site) on a CentOS 5.5 machine.

I made it work by symlinking the openssl libraries installed in the system to the lib/linux-x86/ dir of the ejabberd distribution. The system had libssl.so.0.9.8e and libcrypto.so.0.9.8e installed, but ejabberd had only libssl.so.0.9.7 and libcrypto.so.0.9.7 in lib/linux-x86/. Running ejabberdctl live I noticed that it was complaining about missing libssl.so.0.9.8 and libcrypto.so.0.9.8 libraries:

C(<0.42.0>:sha:53) : unable to load driver '/opt/ejabberd-2.1.10/lib/ejabberd-2.1.10/priv/linux-x86/lib/sha_drv.so': libssl.so.0.9.8: cannot open shared object file: No such file or directory

C(<0.42.0>:sha:53) : unable to load driver '/opt/ejabberd-2.1.10/lib/ejabberd-2.1.10/priv/linux-x86/lib/sha_drv.so': libcrypto.so.0.9.8: cannot open shared object file: No such file or directory

So, after making the symlinks:

ln -s /lib/libssl.so.0.9.8e /opt/ejabberd-2.1.10/lib/linux-x86/libssl.so.0.9.8
ln -s /lib/libcrypto.so.0.9.8e /opt/ejabberd-2.1.10/lib/linux-x86/libcrypto.so.0.9.8

starttls started working.

Oy vey - let us hope we do

Oy vey - let us hope we do not see the same error code meaning all of "file not found", "incompatable architecture" and "wrong library version"!

I've been thinking of the

I've been thinking of the same thing ... so let me just make sure that I have this correct.

If starttls and require_starttls is setup correctly, all communications (between servers and between client and server) is encrypted. Is that correct?

I use Psi on windows and iChat on makes for a intranet only install of ejabberd. I know that I have encryption set in Psi. I don't have access to the machine right now but it is a CentOS machine. Once I get access to the box, I will post what versions I have for everything.

Syndicate content