Commit ef3be5bb authored by Gaston Dombiak's avatar Gaston Dombiak Committed by gato

Added option to enable/disable server dialback/TLS. JM-429

git-svn-id: http://svn.igniterealtime.org/svn/repos/wildfire/trunk@3268 b35dd754-fafc-0310-a699-88a17e54d16e
parent 98a2196c
......@@ -18,6 +18,7 @@ import org.jivesoftware.wildfire.auth.UnauthorizedException;
import org.jivesoftware.wildfire.net.SASLAuthentication;
import org.jivesoftware.wildfire.net.SocketConnection;
import org.jivesoftware.util.Log;
import org.jivesoftware.util.JiveGlobals;
import org.xmlpull.v1.XmlPullParser;
import org.xmlpull.v1.XmlPullParserException;
import org.xmpp.packet.Packet;
......@@ -91,20 +92,27 @@ public class IncomingServerSession extends Session {
XmlPullParser xpp = reader.getXPPParser();
if (xpp.getNamespace("db") != null) {
// Server is trying to establish connection and authenticate using server dialback
ServerDialback method = new ServerDialback(connection, serverName);
return method.createIncomingSession(reader);
if (ServerDialback.isEnabled()) {
ServerDialback method = new ServerDialback(connection, serverName);
return method.createIncomingSession(reader);
}
Log.debug("Server dialback is disabled. Rejecting connection: " + connection);
}
String version = xpp.getAttributeValue("", "version");
int[] serverVersion = version != null ? decodeVersion(version) : new int[] {0,0};
if (serverVersion[0] >= 1) {
// Remote server is XMPP 1.0 compliant so offer TLS and SASL to establish the connection
try {
return createIncomingSession(connection, serverName);
if (JiveGlobals.getBooleanProperty("xmpp.server.tls.enabled", true)) {
try {
return createIncomingSession(connection, serverName);
}
catch (Exception e) {
Log.error("Error establishing connection from remote server", e);
}
}
catch (Exception e) {
Log.error("Error establishing connection from remote server", e);
else {
Log.debug("Server TLS is disabled. Rejecting connection: " + connection);
}
}
// Close the connection since remote server is not XMPP 1.0 compliant and is not
// using server dialback to establish and authenticate the connection
......@@ -143,8 +151,10 @@ public class IncomingServerSession extends Session {
StringBuilder sb = new StringBuilder();
sb.append("<stream:features>");
sb.append("<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\">");
// TODO Consider that STARTTLS may be optional (add TLS options to the AC - disabled, optional, required)
// sb.append("<required/>");
if (!ServerDialback.isEnabled()) {
// Server dialback is disabled so TLS is required
sb.append("<required/>");
}
sb.append("</starttls>");
// Include available SASL Mechanisms
sb.append(SASLAuthentication.getSASLMechanisms(session));
......
......@@ -324,9 +324,12 @@ public class OutgoingServerSession extends Session {
}
}
}
Log.debug("OS - Going to try connecting using server dialback");
// Use server dialback over a plain connection
return new ServerDialback().createOutgoingSession(domain, hostname, port);
if (ServerDialback.isEnabled()) {
Log.debug("OS - Going to try connecting using server dialback");
// Use server dialback over a plain connection
return new ServerDialback().createOutgoingSession(domain, hostname, port);
}
return null;
}
private static OutgoingServerSession secureAndAuthenticate(String hostname,
......
......@@ -22,6 +22,7 @@ import org.jivesoftware.wildfire.net.MXParser;
import org.jivesoftware.wildfire.spi.BasicStreamIDFactory;
import org.jivesoftware.util.Log;
import org.jivesoftware.util.StringUtils;
import org.jivesoftware.util.JiveGlobals;
import org.xmlpull.v1.XmlPullParser;
import org.xmlpull.v1.XmlPullParserException;
import org.xmlpull.v1.XmlPullParserFactory;
......@@ -79,6 +80,21 @@ class ServerDialback {
private SessionManager sessionManager = SessionManager.getInstance();
private RoutingTable routingTable = XMPPServer.getInstance().getRoutingTable();
/**
* Returns true if server dialback is enabled. When enabled remote servers may connect to this
* server using the server dialback method and this server may try the server dialback method
* to connect to remote servers.<p>
*
* When TLS is enabled between servers and server dialback method is enabled then TLS is going
* to be tried first, when connecting to a remote server, and if TLS fails then server dialback
* is going to be used as a last resort.
*
* @return true if server dialback is enabled.
*/
public static boolean isEnabled() {
return JiveGlobals.getBooleanProperty("xmpp.server.dialback.enabled", true);
}
/**
* Creates a new instance that will be used for creating {@link IncomingServerSession},
* validating subsequent domains or authenticatig new domains. Use
......
......@@ -110,12 +110,19 @@
<div class="jive-table">
<table cellpadding="3" cellspacing="1" border="0" width="100%">
<tr>
<th width="35%"><fmt:message key="server.session.details.streamid" /></th>
<th width="35%" colspan="2"><fmt:message key="server.session.details.streamid" /></th>
<th width="20%"><fmt:message key="server.session.label.creation" /></th>
<th width="20%"><fmt:message key="server.session.label.last_active" /></th>
<th width="25%" nowrap><fmt:message key="server.session.details.incoming_statistics" /></th>
</tr>
<tr>
<% if (inSession.getConnection().isSecure()) { %>
<td width="1%">
<img src="images/lock.gif" width="16" height="16" border="0">
</td>
<% } else { %>
<td width="1%"><img src="images/blank.gif" width="1" height="1"></td>
<% } %>
<%
Date creationDate = inSession.getCreationDate();
Date lastActiveDate = inSession.getLastActiveDate();
......@@ -149,12 +156,19 @@
<div class="jive-table">
<table cellpadding="3" cellspacing="1" border="0" width="100%">
<tr>
<th width="35%"><fmt:message key="server.session.details.streamid" /></th>
<th width="35%" colspan="2"><fmt:message key="server.session.details.streamid" /></th>
<th width="20%"><fmt:message key="server.session.label.creation" /></th>
<th width="20%"><fmt:message key="server.session.label.last_active" /></th>
<th width="25%" nowrap><fmt:message key="server.session.details.outgoing_statistics" /></th>
</tr>
<tr>
<% if (outSession.getConnection().isSecure()) { %>
<td width="1%">
<img src="images/lock.gif" width="16" height="16" border="0">
</td>
<% } else { %>
<td width="1%"><img src="images/blank.gif" width="1" height="1"></td>
<% } %>
<%
Date creationDate = outSession.getCreationDate();
Date lastActiveDate = outSession.getLastActiveDate();
......
......@@ -19,6 +19,20 @@
- * 'count', an int representing the row number we're on.
--%>
<% // Show the secured icon only if ALL sessions are secure
boolean isSecured = true;
// Check if all incoming sessions are secured
for (IncomingServerSession inSession : inSessions) {
if (!inSession.getConnection().isSecure()) {
isSecured = false;
break;
}
}
// Check if outgoing session is secured (only if incoming sessions are secured)
if (isSecured && outSession != null) {
isSecured = outSession.getConnection().isSecure();
}
%>
<tr class="jive-<%= (((count % 2) == 0) ? "even" : "odd") %>">
<td width="1%" nowrap><%= count %></td>
<td width="47%" nowrap>
......@@ -38,6 +52,13 @@
</tr>
</table>
</td>
<% if (isSecured) { %>
<td width="1%">
<img src="images/lock.gif" width="16" height="16" border="0">
</td>
<% } else { %>
<td width="1%"><img src="images/blank.gif" width="1" height="1"></td>
<% } %>
<% if (!inSessions.isEmpty() && outSession == null) { %>
<td width="1%">
<img src="images/incoming_32x16.gif" width="32" height="16" border="0" title="<fmt:message key="server.session.connection.incoming" />">
......
......@@ -146,7 +146,7 @@
<tr>
<th>&nbsp;</th>
<th nowrap><fmt:message key="server.session.label.host" /></th>
<th nowrap colspan="2"><fmt:message key="server.session.label.connection" /></th>
<th nowrap colspan="3"><fmt:message key="server.session.label.connection" /></th>
<th nowrap><fmt:message key="server.session.label.creation" /></th>
<th nowrap><fmt:message key="server.session.label.last_active" /></th>
<th nowrap><fmt:message key="server.session.label.close_connect" /></th>
......
......@@ -36,9 +36,14 @@
boolean update = request.getParameter("update") != null;
boolean success = ParamUtils.getBooleanParameter(request, "success");
// Client configuration parameters
String clientSecurityRequired = ParamUtils.getParameter(request,"clientSecurityRequired");
String ssl = ParamUtils.getParameter(request, "ssl");
String tls = ParamUtils.getParameter(request, "tls");
// Server configuration parameters
String serverSecurityRequired = ParamUtils.getParameter(request,"serverSecurityRequired");
String dialback = ParamUtils.getParameter(request, "dialback");
String server_tls = ParamUtils.getParameter(request, "server_tls");
KeyStore keyStore = SSLConfig.getKeyStore();
KeyStore trustStore = SSLConfig.getTrustStore();
......@@ -81,6 +86,47 @@
ClientSession.setTLSPolicy(Connection.TLSPolicy.required);
}
}
if ("req".equals(serverSecurityRequired)) {
// User selected that security for s2s is required
// Enable TLS and disable server dialback
XMPPServer.getInstance().getConnectionManager().enableServerListener(true);
JiveGlobals.setProperty("xmpp.server.tls.enabled", "true");
JiveGlobals.setProperty("xmpp.server.dialback.enabled", "false");
}
else if ("notreq".equals(serverSecurityRequired)) {
// User selected that security for s2s is NOT required
// Enable TLS and enable server dialback
XMPPServer.getInstance().getConnectionManager().enableServerListener(true);
JiveGlobals.setProperty("xmpp.server.tls.enabled", "true");
JiveGlobals.setProperty("xmpp.server.dialback.enabled", "true");
}
else if ("custom".equals(serverSecurityRequired)) {
// User selected custom server authentication
boolean dialbackEnabled = "available".equals(dialback);
boolean tlsEnabled = "optional".equals(server_tls);
if (dialbackEnabled || tlsEnabled) {
XMPPServer.getInstance().getConnectionManager().enableServerListener(true);
// Enable or disable server dialback
JiveGlobals.setProperty("xmpp.server.dialback.enabled", dialbackEnabled ? "true" : "false");
// Enable or disable TLS for s2s connections
JiveGlobals.setProperty("xmpp.server.tls.enabled", tlsEnabled ? "true" : "false");
}
else {
XMPPServer.getInstance().getConnectionManager().enableServerListener(false);
// Disable server dialback
JiveGlobals.setProperty("xmpp.server.dialback.enabled", "false");
// Disable TLS for s2s connections
JiveGlobals.setProperty("xmpp.server.tls.enabled", "false");
}
}
success = true;
}
......@@ -109,6 +155,26 @@
tls = Connection.TLSPolicy.disabled.equals(ClientSession.getTLSPolicy()) ? "notavailable" : ClientSession.getTLSPolicy().toString();
}
boolean tlsEnabled = JiveGlobals.getBooleanProperty("xmpp.server.tls.enabled", true);
boolean dialbackEnabled = JiveGlobals.getBooleanProperty("xmpp.server.dialback.enabled", true);
if (tlsEnabled) {
if (dialbackEnabled) {
serverSecurityRequired = "notreq";
dialback = "available";
server_tls = "optional";
}
else {
serverSecurityRequired = "req";
dialback = "notavailable";
server_tls = "optional";
}
}
else {
serverSecurityRequired = "custom";
dialback = dialbackEnabled ? "available" : "notavailable";
server_tls = "notavailable";
}
if (install) {
if (cert == null){
errors.put("cert","");
......@@ -293,7 +359,7 @@
<fieldset>
<legend><fmt:message key="ssl.settings.client.legend" /></legend>
<div>
<table id="certificates" cellpadding="3" cellspacing="0" border="0" width="100%">
<table cellpadding="3" cellspacing="0" border="0" width="100%">
<tbody>
<tr valign="middle">
<tr valign="middle">
......@@ -373,6 +439,91 @@
</form>
<br>
<form action="ssl-settings.jsp" method="post">
<fieldset>
<legend><fmt:message key="ssl.settings.server.legend" /></legend>
<div>
<table cellpadding="3" cellspacing="0" border="0" width="100%">
<tbody>
<tr valign="middle">
<tr valign="middle">
<td width="1%" nowrap>
<input type="radio" name="serverSecurityRequired" value="notreq" id="rb09" onclick="showOrHide('server_custom', 'hide')"
<%= ("notreq".equals(serverSecurityRequired) ? "checked" : "") %>>
</td>
<td width="99%">
<label for="rb09">
<b><fmt:message key="ssl.settings.server.label_notrequired" /></b> - <fmt:message key="ssl.settings.server.label_notrequired_info" />
</label>
</td>
</tr>
<tr valign="middle">
<td width="1%" nowrap>
<input type="radio" name="serverSecurityRequired" value="req" id="rb10" onclick="showOrHide('server_custom', 'hide')"
<%= ("req".equals(serverSecurityRequired) ? "checked" : "") %>>
</td>
<td width="99%">
<label for="rb10">
<b><fmt:message key="ssl.settings.server.label_required" /></b> - <fmt:message key="ssl.settings.server.label_required_info" />
</label>
</td>
</tr>
<tr valign="middle">
<td width="1%" nowrap>
<input type="radio" name="serverSecurityRequired" value="custom" id="rb11" onclick="showOrHide('server_custom', 'show')"
<%= ("custom".equals(serverSecurityRequired) ? "checked" : "") %>>
</td>
<td width="99%">
<label for="rb11">
<b><fmt:message key="ssl.settings.server.label_custom" /></b> - <fmt:message key="ssl.settings.server.label_custom_info" />
</label>
</td>
</tr>
<tr valign="top" id="server_custom" <% if (!"custom".equals(serverSecurityRequired)) out.write("style=\"display:none\""); %>>
<td width="1%" nowrap>
&nbsp;
</td>
<td width="99%">
<table cellpadding="3" cellspacing="0" border="0" width="100%">
<tr valign="top">
<td width="1%" nowrap>
<fmt:message key="ssl.settings.server.dialback" />
</td>
<td width="99%">
<input type="radio" name="dialback" value="notavailable" id="rb12" <%= ("notavailable".equals(dialback) ? "checked" : "") %>
onclick="this.form.serverSecurityRequired[2].checked=true;">&nbsp;<label for="rb12"><fmt:message key="ssl.settings.notavailable" /></label>&nbsp;&nbsp;
<input type="radio" name="dialback" value="available" id="rb13" <%= ("available".equals(dialback) ? "checked" : "") %>
onclick="this.form.serverSecurityRequired[2].checked=true;">&nbsp;<label for="rb13"><fmt:message key="ssl.settings.available" /></label>
</td>
</tr>
<tr valign="top">
<td width="1%" nowrap>
<fmt:message key="ssl.settings.server.customTLS" />
</td>
<td width="99%">
<input type="radio" name="server_tls" value="notavailable" id="rb14" <%= ("notavailable".equals(server_tls) ? "checked" : "") %>
onclick="this.form.serverSecurityRequired[2].checked=true;">&nbsp;<label for="rb14"><fmt:message key="ssl.settings.notavailable" /></label>&nbsp;&nbsp;
<input type="radio" name="server_tls" value="optional" id="rb15" <%= ("optional".equals(server_tls) ? "checked" : "") %>
onclick="this.form.serverSecurityRequired[2].checked=true;">&nbsp;<label for="rb15"><fmt:message key="ssl.settings.optional" /></label>&nbsp;&nbsp;
</td>
</tr>
</table>
</td>
</tr>
</tr>
</tbody>
</table>
</div>
</fieldset>
<br>
<input type="submit" name="update" value="<fmt:message key="global.save_settings" />">
</form>
<br><br>
<p><b><fmt:message key="ssl.settings.certificate" /></b></p>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment