From owner-freebsd-ports@FreeBSD.ORG Thu Mar 29 15:30:39 2012 Return-Path: Delivered-To: freebsd-ports@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D27A01065670 for ; Thu, 29 Mar 2012 15:30:39 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3cd3:cd67:fafa:3d78]) by mx1.freebsd.org (Postfix) with ESMTP id 46E158FC1A for ; Thu, 29 Mar 2012 15:30:39 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [IPv6:2001:8b0:151:1:fa1e:dfff:feda:c0bb]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.5/8.14.5) with ESMTP id q2TFUTc9099402 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO); Thu, 29 Mar 2012 16:30:35 +0100 (BST) (envelope-from matthew@FreeBSD.org) X-DKIM: OpenDKIM Filter v2.5.0 smtp.infracaninophile.co.uk q2TFUTc9099402 Authentication-Results: smtp.infracaninophile.co.uk/q2TFUTc9099402; dkim=none (no signature); dkim-adsp=none Message-ID: <4F74800E.6070503@FreeBSD.org> Date: Thu, 29 Mar 2012 16:30:22 +0100 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:11.0) Gecko/20120327 Thunderbird/11.0.1 MIME-Version: 1.0 To: Kaya Saman References: In-Reply-To: X-Enigmail-Version: 1.4 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig252CBA57D459114E55279E92" X-Virus-Scanned: clamav-milter 0.97.3 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00 autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on lucid-nonsense.infracaninophile.co.uk Cc: freebsd-ports@FreeBSD.org Subject: Re: jabberd port doesn't come with any certificates and is not allowing authorization? X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Mar 2012 15:30:39 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig252CBA57D459114E55279E92 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 29/03/2012 15:45, Kaya Saman wrote: > I've recently built the jabberd port and upgraded to the latest version= : 2.x Actually jabberd2 (net-im/jabberd) is a completely different different project to jabberd14 (net-im/jabber) -- it's not "upgrading" so much as switching to a different piece of software. In any case, jabberd2 is the correct choice: it is being actively developed and is keeping abreast of the various XMPP extensions that are being published. > I'm having major problems in configuring it though and was wondering > if someone could either give me a hand or help me generate > certificates for it which are mentioned in the config file but not > within the /usr/local/etc/jabberd directory. >=20 >=20 > I'm experiencing this issue: >=20 > Mar 29 16:33:48 JABBER jabberd/c2s[1498]: [8] [10.0.0.10, port=3D59032]= connect > Mar 29 16:33:48 JABBER jabberd/c2s[1498]: [8] got pre STARTTLS packet, = dropping > Mar 29 16:33:48 JABBER jabberd/c2s[1498]: [8] [10.0.0.10, port=3D59032]= > disconnect jid=3Dunbound, packets: 1 Your client is attempting to switch its connection to using TLS. This is good, especially if you are using a SASL method of LOGIN or PASSWORD -- otherwise it would send passwords across the net in plain test. > This is my realm information: >=20 >=20 > pemfile=3D'/usr/local/etc/jabberd/server.pem' > verify-mode=3D'0' > cachain=3D'/usr/local/etc/jabberd/client_ca_certs.pem' > require-starttls=3D'false' > register-enable=3D'true' > instructions=3D'Enter a username and password to register with > this server.' > register-oob=3D'http://srv.jabber.com/register' > password-change=3D'true' > >jabber.com > >=20 >=20 > jabber.com may publicly exist however, this is a trial done in Vbox > and totally offline just so I can understand the necessary mechanisms > involved as to learn how the jabberd server functions! You've got both 'register-enable' and 'register-oob' -- you probably don't want both of those, unless you do have an out-of-band method to create user accounts. Presumably you have created the required server x509 certificate. If you're doing it on the cheap, that means a self-signed certificate. In which case there simply won't be a cain of CA certs to worry about. I'd also recommend require-starttls=3D'true' Of course, there's a lot more to setting up jabberd than just this little section of one of the config files. > I'm using Pidgin as the IM client who is configured like: >=20 > Username: user > Domain: jabber.com > Password: > Local Alias: user_alias > Use encrypted connections if available <<<---*** > Allow plaintext auth over unencrypted streams <<<---*** > Connect server: srv.jabber.com Those two marked items are not a good idea. If you're using login to authenticate the SASL libraries expect you to use TLS to secure the transaction, and the way of least resistance is to do so. > On the client I keep getting: "Policy Violation" error. >=20 >=20 > It's really weird but there seems to be a lack of documentation as I > managed to find the stuff for jabberd version 1.4, for version 2.x > I've followed some URL's: >=20 > http://www.jms1.net/jabberd2/ >=20 > http://www.indiangnu.org/2009/how-to-configure-jabber-jabberd2-with-mys= qlpam-as-auth-database/ >=20 > http://bionicraptor.co/2011/07/25/how-to-encrypt-jabberd2-communication= s/ >=20 > http://bionicraptor.co/2011/05/20/how-to-install-and-configure-japperd2= -with-mysql/ >=20 >=20 > But still nothing is working, I believe it's to do with the security > as in using encrypted or unencrypted connections but I can't be > certain... there doesn't seem to be any mysql DB creation script > either that I could find?? Look in /usr/local/share/doc/jabberd I originally implemented jabberd2 using a MySQL database, but have switched to PostgreSQL. Which RDBMs you use won't make a whole lot of difference unless your traffic levels grow to pretty enormous levels. In fact, for a lightly used system, sqlite would be a reasonable choice. > Is there a fix or am I stuck?? Well, I have jabberd2 up and running quite happily. I don't remember setting it up as being particularly traumatic. I just read the docco, followed the install guide here: https://github.com/Jabberd2/jabberd2/wiki/InstallGuide (which is linked to from the jabberd2 home page at http://jabberd2.xiaoka.com/) and the comments in the sample .xml files and it all worked fine after the usual sort of testing and debugging. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. PGP: http://www.infracaninophile.co.uk/pgpkey --------------enig252CBA57D459114E55279E92 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk90gBUACgkQ8Mjk52CukIzQeQCfXqVn4iFS719JXI7NJTpDcaHx q64AoIpGA5lGLohZYZlymzAiuh6qO1n+ =cZxg -----END PGP SIGNATURE----- --------------enig252CBA57D459114E55279E92--