Date: Fri, 30 Mar 2012 08:57:53 +0100 From: Kaya Saman <kayasaman@gmail.com> To: Matthew Seaman <matthew@freebsd.org> Cc: freebsd-ports@freebsd.org Subject: Re: jabberd port doesn't come with any certificates and is not allowing authorization? Message-ID: <CAPj0R5%2B1Stoig0SkRfgZyipU-CkiFSUFmQ2p1Ls%2BEzDZFNF%2B-w@mail.gmail.com> In-Reply-To: <4F74800E.6070503@FreeBSD.org> References: <CAPj0R5%2B9%2BgNR1n8pL6qopGJcMZipZn=b=aR=sP_yY7VFo0q=ew@mail.gmail.com> <4F74800E.6070503@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Mar 29, 2012 at 4:30 PM, Matthew Seaman <matthew@freebsd.org> wrote= : > On 29/03/2012 15:45, Kaya Saman wrote: >> I've recently built the jabberd port and upgraded to the latest version:= 2.x > > Actually jabberd2 (net-im/jabberd) is a completely different different > project to jabberd14 (net-im/jabber) -- it's not "upgrading" so much as > switching to a different piece of software. > > In any case, jabberd2 is the correct choice: it is being actively > developed and is keeping abreast of the various XMPP extensions that are > being published. Ok so I'm on the right track then :-) > >> I'm having major problems in configuring it though and was wondering >> if someone could either give me a hand or help me generate >> certificates for it which are mentioned in the config file but not >> within the /usr/local/etc/jabberd directory. >> >> >> I'm experiencing this issue: >> >> Mar 29 16:33:48 JABBER jabberd/c2s[1498]: [8] [10.0.0.10, port=3D59032] = connect >> Mar 29 16:33:48 JABBER jabberd/c2s[1498]: [8] got pre STARTTLS packet, d= ropping >> Mar 29 16:33:48 JABBER jabberd/c2s[1498]: [8] [10.0.0.10, port=3D59032] >> disconnect jid=3Dunbound, packets: 1 > > Your client is attempting to switch its connection to using TLS. =A0This > is good, especially if you are using a SASL method of LOGIN or PASSWORD > -- otherwise it would send passwords across the net in plain test. Hmm... so I guess pidgin doesn't do non-encrypted connections then? I totally agree with using encryption however, I just want to learn how to setup jabberd first in its most basic state before getting more advanced. > >> This is my realm information: >> >> >> =A0 =A0 <id realm=3D'jabber.com' >> =A0 =A0 =A0 =A0 pemfile=3D'/usr/local/etc/jabberd/server.pem' >> =A0 =A0 =A0 =A0 verify-mode=3D'0' >> =A0 =A0 =A0 =A0 cachain=3D'/usr/local/etc/jabberd/client_ca_certs.pem' >> =A0 =A0 =A0 =A0 require-starttls=3D'false' >> =A0 =A0 =A0 =A0 register-enable=3D'true' >> =A0 =A0 =A0 =A0 instructions=3D'Enter a username and password to registe= r with >> this server.' >> =A0 =A0 =A0 =A0 register-oob=3D'http://srv.jabber.com/register' >> =A0 =A0 =A0 =A0 password-change=3D'true' >> =A0 =A0 >jabber.com</id> >> =A0 =A0 <!-- or the default host >> =A0 =A0 <id password-change=3D'mu' /> --> >> >> >> jabber.com may publicly exist however, this is a trial done in Vbox >> and totally offline just so I can understand the necessary mechanisms >> involved as to learn how the jabberd server functions! > > You've got both 'register-enable' and 'register-oob' -- you probably > don't want both of those, unless you do have an out-of-band method to > create user accounts. Actually to allow IM clients to register will be better, though later on when I do a full implementation I will need to authenticate to either PAM or AD. > > Presumably you have created the required server x509 certificate. =A0If > you're doing it on the cheap, that means a self-signed certificate. =A0In > which case there simply won't be a cain of CA certs to worry about. =A0I'= d > also recommend require-starttls=3D'true' I don't have an x509 cert, I discovered this though: http://www.stanbarber.com/freebsd/creating-self-signed-ssl-certificates-on-= freebsd-with-openssl Is that what you mean or is the x509 different from the SSL self signed cer= t? > > Of course, there's a lot more to setting up jabberd than just this > little section of one of the config files. Means a lot more to learn.... > >> I'm using Pidgin as the IM client who is configured like: >> >> Username: user >> Domain: jabber.com >> Password: <secret> >> Local Alias: user_alias >> Use encrypted connections if available =A0 =A0 =A0 =A0 <<<---*** >> Allow plaintext auth over unencrypted streams =A0<<<---*** >> Connect server: srv.jabber.com > > Those two marked items are not a good idea. =A0If you're using login to > authenticate the SASL libraries expect you to use TLS to secure the > transaction, and the way of least resistance is to do so. Once cert has been created I will adjust accordingly! > >> On the client I keep getting: "Policy Violation" error. >> >> >> It's really weird but there seems to be a lack of documentation as I >> managed to find the stuff for jabberd version 1.4, for version 2.x >> I've followed some URL's: >> >> http://www.jms1.net/jabberd2/ >> >> http://www.indiangnu.org/2009/how-to-configure-jabber-jabberd2-with-mysq= lpam-as-auth-database/ >> >> http://bionicraptor.co/2011/07/25/how-to-encrypt-jabberd2-communications= / >> >> http://bionicraptor.co/2011/05/20/how-to-install-and-configure-japperd2-= with-mysql/ >> >> >> But still nothing is working, I believe it's to do with the security >> as in using encrypted or unencrypted connections but I can't be >> certain... there doesn't seem to be any mysql DB creation script >> either that I could find?? > > Look in /usr/local/share/doc/jabberd > > I originally implemented jabberd2 using a MySQL database, but have > switched to PostgreSQL. =A0Which RDBMs you use won't make a whole lot of > difference unless your traffic levels grow to pretty enormous levels. > In fact, for a lightly used system, sqlite would be a reasonable choice. > >> Is there a fix or am I stuck?? > > Well, I have jabberd2 up and running quite happily. =A0I don't remember > setting it up as being particularly traumatic. =A0I just read the docco, > followed the install guide here: > https://github.com/Jabberd2/jabberd2/wiki/InstallGuide =A0(which is linke= d > to from the jabberd2 home page at http://jabberd2.xiaoka.com/) and the > comments in the sample .xml files and it all worked fine after the usual > sort of testing and debugging. Ok will check it out....... and hopefully understand more on jabberd rather then going blind :-) > > =A0 =A0 =A0 =A0Cheers, > > =A0 =A0 =A0 =A0Matthew > > -- > Dr Matthew J Seaman MA, D.Phil. > PGP: http://www.infracaninophile.co.uk/pgpkey > > Regards, Kaya
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPj0R5%2B1Stoig0SkRfgZyipU-CkiFSUFmQ2p1Ls%2BEzDZFNF%2B-w>