[ejabberd] Dialback settings for ejabberd_s2s_in

Shaun Kruger shaun.kruger at gmail.com
Sun Oct 9 10:13:48 MSD 2011


I figured out how to get ejabberd_s2s_in to skip the validation step
of the dialback protocol.

Attached is a patch that adds a new configuration option to
ejabberd_s2s_in listeners.  If you add the atom
'dialback_verify_disable' it will always accept the dialback key that
is presented by the originating server without contacting the
authoritative server and exchanging verify stanzas.  The default
behavior with this patch is to require dialback verification as has
already been the default behavior of ejabberd.

I have determined that this patch allows me to communicate between
gmail.com and my ejabberd hosted domain through my proxy server
without any difficulty.

I do hope you will consider this patch for inclusion in ejabberd3 as
this change may make XMPP federation easier in some unique use cases.

Shaun

On Sat, Oct 8, 2011 at 12:08 PM, Shaun Kruger <shaun.kruger at gmail.com> wrote:
> I'm working with ejabberd and I have a proxy server terminating and
> routing my xmpp sessions.  The proxy is protocol aware, but I seem to
> be running into a problem verifying the connection.
>
> I am trying to talk to get s2s communication working between my chat
> server and the gmail.com xmpp domain.  I am able to connect just fine
> and send messages to my @gmail.com user.  However I can't get it to
> validate the other way.  I have already determined that it is because
> the stream id sent by the proxy server (ID_Proxy) is different than
> the stream id that is sent by ejabberd (ID_Ejabberd) when the proxy
> connects to ejabberd.  When ejabberd sends the <db:verify> stanza back
> to gmail.com it sets the id=ID_Ejabberd, but the verify fails because
> the stanza needs id=ID_Proxy in order for gmail.com to validate.
>
> I would send ID_Ejabberd along to the originating gmail.com server if
> it was known at the time.  When the originating server establishes a
> connection it opens a stream and I also open a stream which requires
> me to define ID_Proxy.  Once I have opened my proxy stream the
> originating server sends a <db:result> stanza which then informs the
> proxy which ejabberd domain it needs to connect to (this impacts which
> server is selected by the proxy).  The proxy opens a stream to
> ejabberd and ejabberd opens a stream back to the proxy which is the
> point where ID_Ejabberd is defined.
>
> Based on these observations I believe there are two options for me to
> get this proxy setup working.
>
> 1. Turn off dialback validation in ejabberd and do it on the proxy.
> This will require ejabberd to just trust the s2s connection without
> doing its own dialback.
>
> I am wondering if there is a configuration option that implements this
> behavior so that ejabberd always sends a <result type='valid'> in
> response to receiving a dialback key.
>
> 2. Tell ejabberd what the value of ID_Proxy is so that it can send
> that value with the <db:verify> stanza.  This option feels far more
> involved and may justify suggesting an XMPP protocol extension
> depending on what is determined to be the best/most secure way of
> telling ejabberd what the value of ID_Proxy is.
>
> I am far more excited about option 1 so my question is this:  Is there
> a configuration option for ejabberd_s2s_in to turn off dialback
> verification and just trust all <db:result> stanzas that come in?  If
> not, and I modify s2s_in to add this configuration option, would that
> be a patch that would be considered for ejabberd3?
>
> Shaun
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ejabberd_s2s_in.erl.patch
Type: text/x-patch
Size: 1944 bytes
Desc: not available
URL: <http://lists.jabber.ru/pipermail/ejabberd/attachments/20111009/219dac19/attachment.bin>


More information about the ejabberd mailing list