Syndicate
Site (RSS, Atom)
Contact
Weblog status
Total entries: 78
Last entry: 2022-10-16 13:52:24
Last updated: 2022-10-16 14:12:58
powered by vim, bash, cat, grep, sed, and nb 3.4.2

2014-12-28 18:02:04

jabberd2 s2s bugfix require starttls

Jabberd2 2.2.17 (also used by Apple's ChatServer) allows StartTLS to be configured as mandatory. A "required" StartTLS on the c2s component (client to server) is well documented and works fine. But for the s2s component you will just see a short notice on the configuration template. To enable it you must set "require_tls" in s2s.xml:

<security>
  <!-- Require TLS secured S2S connections -->
  <require_tls/>
</security>

But if you enable it you will maybe notice that it does not work. You can test and prove this malfunction with the IM Observatory.

To fix this bug and add the forgotten function you only need a small patch to s2s/in.c:

@@ -142,8 +142,12 @@
 
     flags = S2S_DB_HEADER;
 #ifdef HAVE_SSL
-    if(s2s->sx_ssl != NULL)
+    if(s2s->sx_ssl != NULL) {
         flags |= SX_SSL_STARTTLS_OFFER;
+        if (s2s->require_tls) {
+            flags |= SX_SSL_STARTTLS_REQUIRE;
+        }
+    }
 #endif
 #ifdef HAVE_LIBZ
     if(s2s->compression)

For RHEL / CentOS 5 there is an enhanced and already fixed jabberd RPM package (SRPM) in the tuxad repo available.

Update 2015-08-09: The package is included in the tuxad repo.


Posted by Frank W. Bergmann | Permanent link | File under: c, ssl, encryption, rpm, yum, repository, redhat, openssl, jabber