Added option to enable/disable server dialback/TLS. JM-429

git-svn-id: http://svn.igniterealtime.org/svn/repos/wildfire/trunk@3268 b35dd754-fafc-0310-a699-88a17e54d16e

Added option to enable/disable server dialback/TLS. JM-429
git-svn-id: http://svn.igniterealtime.org/svn/repos/wildfire/trunk@3268 b35dd754-fafc-0310-a699-88a17e54d16e
ef3be5bb · Gaston Dombiak · gato · 98a2196c · ef3be5bb · ef3be5bb
Commit ef3be5bb authored Jan 10, 2006 by Gaston Dombiak Committed by gato Jan 10, 2006
7 changed files
--- a/src/java/org/jivesoftware/wildfire/server/IncomingServerSession.java
+++ b/src/java/org/jivesoftware/wildfire/server/IncomingServerSession.java
@@ -18,6 +18,7 @@ import org.jivesoftware.wildfire.auth.UnauthorizedException;
 import org.jivesoftware.wildfire.net.SASLAuthentication;
 import org.jivesoftware.wildfire.net.SocketConnection;
 import org.jivesoftware.util.Log;
+import org.jivesoftware.util.JiveGlobals;
 import org.xmlpull.v1.XmlPullParser;
 import org.xmlpull.v1.XmlPullParserException;
 import org.xmpp.packet.Packet;
@@ -91,20 +92,27 @@ public class IncomingServerSession extends Session {
        XmlPullParser xpp = reader.getXPPParser();
        if (xpp.getNamespace("db") != null) {
            // Server is trying to establish connection and authenticate using server dialback
+            if (ServerDialback.isEnabled()) {
                ServerDialback method = new ServerDialback(connection, serverName);
                return method.createIncomingSession(reader);
            }
+            Log.debug("Server dialback is disabled. Rejecting connection: " + connection);
+        }
        String version = xpp.getAttributeValue("", "version");
        int[] serverVersion = version != null ? decodeVersion(version) : new int[] {0,0};
        if (serverVersion[0] >= 1) {
            // Remote server is XMPP 1.0 compliant so offer TLS and SASL to establish the connection
+            if (JiveGlobals.getBooleanProperty("xmpp.server.tls.enabled", true)) {
                try {
                    return createIncomingSession(connection, serverName);
                }
                catch (Exception e) {
                    Log.error("Error establishing connection from remote server", e);
                }
-
+            }
+            else {
+                Log.debug("Server TLS is disabled. Rejecting connection: " + connection);
+            }
        }
        // Close the connection since remote server is not XMPP 1.0 compliant and is not
        // using server dialback to establish and authenticate the connection
@@ -143,8 +151,10 @@ public class IncomingServerSession extends Session {
        StringBuilder sb = new StringBuilder();
        sb.append("<stream:features>");
        sb.append("<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\">");
-        // TODO Consider that STARTTLS may be optional (add TLS options to the AC - disabled, optional, required)
-        // sb.append("<required/>");
+        if (!ServerDialback.isEnabled()) {
+            // Server dialback is disabled so TLS is required
+            sb.append("<required/>");
+        }
        sb.append("</starttls>");
        // Include available SASL Mechanisms
        sb.append(SASLAuthentication.getSASLMechanisms(session));

--- a/src/java/org/jivesoftware/wildfire/server/OutgoingServerSession.java
+++ b/src/java/org/jivesoftware/wildfire/server/OutgoingServerSession.java
@@ -324,10 +324,13 @@ public class OutgoingServerSession extends Session {
                }
            }
        }
+        if (ServerDialback.isEnabled()) {
            Log.debug("OS - Going to try connecting using server dialback");
            // Use server dialback over a plain connection
            return new ServerDialback().createOutgoingSession(domain, hostname, port);
        }
+        return null;
+    }

    private static OutgoingServerSession secureAndAuthenticate(String hostname,
            SocketConnection connection, XMPPPacketReader reader, StringBuilder openingStream,

--- a/src/java/org/jivesoftware/wildfire/server/ServerDialback.java
+++ b/src/java/org/jivesoftware/wildfire/server/ServerDialback.java
@@ -22,6 +22,7 @@ import org.jivesoftware.wildfire.net.MXParser;
 import org.jivesoftware.wildfire.spi.BasicStreamIDFactory;
 import org.jivesoftware.util.Log;
 import org.jivesoftware.util.StringUtils;
+import org.jivesoftware.util.JiveGlobals;
 import org.xmlpull.v1.XmlPullParser;
 import org.xmlpull.v1.XmlPullParserException;
 import org.xmlpull.v1.XmlPullParserFactory;
@@ -79,6 +80,21 @@ class ServerDialback {
    private SessionManager sessionManager = SessionManager.getInstance();
    private RoutingTable routingTable = XMPPServer.getInstance().getRoutingTable();

+    /**
+     * Returns true if server dialback is enabled. When enabled remote servers may connect to this
+     * server using the server dialback method and this server may try the server dialback method
+     * to connect to remote servers.<p>
+     *
+     * When TLS is enabled between servers and server dialback method is enabled then TLS is going
+     * to be tried first, when connecting to a remote server, and if TLS fails then server dialback
+     * is going to be used as a last resort.
+     *
+     * @return true if server dialback is enabled.
+     */
+    public static boolean isEnabled() {
+        return JiveGlobals.getBooleanProperty("xmpp.server.dialback.enabled", true);
+    }
+
    /**
     * Creates a new instance that will be used for creating {@link IncomingServerSession},
     * validating subsequent domains or authenticatig new domains. Use

--- a/src/web/server-session-details.jsp
+++ b/src/web/server-session-details.jsp
@@ -110,12 +110,19 @@
    <div class="jive-table">
    <table cellpadding="3" cellspacing="1" border="0" width="100%">
    <tr>
-        <th width="35%"><fmt:message key="server.session.details.streamid" /></th>
+        <th width="35%" colspan="2"><fmt:message key="server.session.details.streamid" /></th>
        <th width="20%"><fmt:message key="server.session.label.creation" /></th>
        <th width="20%"><fmt:message key="server.session.label.last_active" /></th>
        <th width="25%" nowrap><fmt:message key="server.session.details.incoming_statistics" /></th>
    </tr>
    <tr>
+        <%  if (inSession.getConnection().isSecure()) { %>
+            <td width="1%">
+                <img src="images/lock.gif" width="16" height="16" border="0">
+            </td>
+         <% } else { %>
+            <td width="1%"><img src="images/blank.gif" width="1" height="1"></td>
+         <% } %>
        <%
            Date creationDate = inSession.getCreationDate();
            Date lastActiveDate = inSession.getLastActiveDate();
@@ -149,12 +156,19 @@
    <div class="jive-table">
    <table cellpadding="3" cellspacing="1" border="0" width="100%">
    <tr>
-        <th width="35%"><fmt:message key="server.session.details.streamid" /></th>
+        <th width="35%" colspan="2"><fmt:message key="server.session.details.streamid" /></th>
        <th width="20%"><fmt:message key="server.session.label.creation" /></th>
        <th width="20%"><fmt:message key="server.session.label.last_active" /></th>
        <th width="25%" nowrap><fmt:message key="server.session.details.outgoing_statistics" /></th>
    </tr>
    <tr>
+        <%  if (outSession.getConnection().isSecure()) { %>
+        <td width="1%">
+            <img src="images/lock.gif" width="16" height="16" border="0">
+        </td>
+         <% } else { %>
+        <td width="1%"><img src="images/blank.gif" width="1" height="1"></td>
+         <% } %>
        <%
            Date creationDate = outSession.getCreationDate();
            Date lastActiveDate = outSession.getLastActiveDate();

--- a/src/web/server-session-row.jspf
+++ b/src/web/server-session-row.jspf
@@ -19,6 +19,20 @@
  -     * 'count', an int representing the row number we're on.
 --%>

+<%  // Show the secured icon only if ALL sessions are secure
+    boolean isSecured = true;
+    // Check if all incoming sessions are secured
+    for (IncomingServerSession inSession : inSessions) {
+        if (!inSession.getConnection().isSecure()) {
+            isSecured = false;
+            break;
+        }
+    }
+    // Check if outgoing session is secured (only if incoming sessions are secured)
+    if (isSecured && outSession != null) {
+        isSecured = outSession.getConnection().isSecure();
+    }
+%>
 <tr class="jive-<%= (((count % 2) == 0) ? "even" : "odd") %>">
    <td width="1%" nowrap><%= count %></td>
    <td width="47%" nowrap>
@@ -38,6 +52,13 @@
            </tr>
        </table>
    </td>
+    <%  if (isSecured) { %>
+    <td width="1%">
+        <img src="images/lock.gif" width="16" height="16" border="0">
+    </td>
+     <% } else { %>
+    <td width="1%"><img src="images/blank.gif" width="1" height="1"></td>
+     <% } %>
    <% if (!inSessions.isEmpty() && outSession == null) { %>
        <td width="1%">
            <img src="images/incoming_32x16.gif" width="32" height="16" border="0" title="<fmt:message key="server.session.connection.incoming" />">

--- a/src/web/server-session-summary.jsp
+++ b/src/web/server-session-summary.jsp
@@ -146,7 +146,7 @@
    <tr>
        <th>&nbsp;</th>
        <th nowrap><fmt:message key="server.session.label.host" /></th>
-        <th nowrap colspan="2"><fmt:message key="server.session.label.connection" /></th>
+        <th nowrap colspan="3"><fmt:message key="server.session.label.connection" /></th>
        <th nowrap><fmt:message key="server.session.label.creation" /></th>
        <th nowrap><fmt:message key="server.session.label.last_active" /></th>
        <th nowrap><fmt:message key="server.session.label.close_connect" /></th>

--- a/src/web/ssl-settings.jsp
+++ b/src/web/ssl-settings.jsp
@@ -36,9 +36,14 @@

    boolean update = request.getParameter("update") != null;
    boolean success = ParamUtils.getBooleanParameter(request, "success");
+    // Client configuration parameters
    String clientSecurityRequired = ParamUtils.getParameter(request,"clientSecurityRequired");
    String ssl = ParamUtils.getParameter(request, "ssl");
    String tls = ParamUtils.getParameter(request, "tls");
+    // Server configuration parameters
+    String serverSecurityRequired = ParamUtils.getParameter(request,"serverSecurityRequired");
+    String dialback = ParamUtils.getParameter(request, "dialback");
+    String server_tls = ParamUtils.getParameter(request, "server_tls");

    KeyStore keyStore = SSLConfig.getKeyStore();
    KeyStore trustStore = SSLConfig.getTrustStore();
@@ -81,6 +86,47 @@
                ClientSession.setTLSPolicy(Connection.TLSPolicy.required);
            }
        }
+
+        if ("req".equals(serverSecurityRequired)) {
+            // User selected that security for s2s is required
+
+            // Enable TLS and disable server dialback
+            XMPPServer.getInstance().getConnectionManager().enableServerListener(true);
+            JiveGlobals.setProperty("xmpp.server.tls.enabled", "true");
+            JiveGlobals.setProperty("xmpp.server.dialback.enabled", "false");
+        }
+        else if ("notreq".equals(serverSecurityRequired)) {
+            // User selected that security for s2s is NOT required
+
+            // Enable TLS and enable server dialback
+            XMPPServer.getInstance().getConnectionManager().enableServerListener(true);
+            JiveGlobals.setProperty("xmpp.server.tls.enabled", "true");
+            JiveGlobals.setProperty("xmpp.server.dialback.enabled", "true");
+        }
+        else if ("custom".equals(serverSecurityRequired)) {
+            // User selected custom server authentication
+
+            boolean dialbackEnabled = "available".equals(dialback);
+            boolean tlsEnabled = "optional".equals(server_tls);
+
+            if (dialbackEnabled || tlsEnabled) {
+                XMPPServer.getInstance().getConnectionManager().enableServerListener(true);
+
+                // Enable or disable server dialback
+                JiveGlobals.setProperty("xmpp.server.dialback.enabled", dialbackEnabled ? "true" : "false");
+
+                // Enable or disable TLS for s2s connections
+                JiveGlobals.setProperty("xmpp.server.tls.enabled", tlsEnabled ? "true" : "false");
+            }
+            else {
+                XMPPServer.getInstance().getConnectionManager().enableServerListener(false);
+                // Disable server dialback
+                JiveGlobals.setProperty("xmpp.server.dialback.enabled", "false");
+
+                // Disable TLS for s2s connections
+                JiveGlobals.setProperty("xmpp.server.tls.enabled", "false");
+            }
+        }
        success = true;
    }

@@ -109,6 +155,26 @@
        tls = Connection.TLSPolicy.disabled.equals(ClientSession.getTLSPolicy()) ? "notavailable" : ClientSession.getTLSPolicy().toString();
    }

+    boolean tlsEnabled = JiveGlobals.getBooleanProperty("xmpp.server.tls.enabled", true);
+    boolean dialbackEnabled = JiveGlobals.getBooleanProperty("xmpp.server.dialback.enabled", true);
+    if (tlsEnabled) {
+        if (dialbackEnabled) {
+            serverSecurityRequired = "notreq";
+            dialback = "available";
+            server_tls = "optional";
+        }
+        else {
+            serverSecurityRequired = "req";
+            dialback = "notavailable";
+            server_tls = "optional";
+        }
+    }
+    else {
+        serverSecurityRequired = "custom";
+        dialback = dialbackEnabled ? "available" : "notavailable";
+        server_tls = "notavailable";
+    }
+
    if (install) {
        if (cert == null){
            errors.put("cert","");
@@ -293,7 +359,7 @@
 <fieldset>
    <legend><fmt:message key="ssl.settings.client.legend" /></legend>
    <div>
-    <table id="certificates" cellpadding="3" cellspacing="0" border="0" width="100%">
+    <table cellpadding="3" cellspacing="0" border="0" width="100%">
    <tbody>
        <tr valign="middle">
            <tr valign="middle">
@@ -373,6 +439,91 @@

 </form>

+<br>
+
+<form action="ssl-settings.jsp" method="post">
+
+<fieldset>
+    <legend><fmt:message key="ssl.settings.server.legend" /></legend>
+    <div>
+    <table cellpadding="3" cellspacing="0" border="0" width="100%">
+    <tbody>
+        <tr valign="middle">
+            <tr valign="middle">
+                <td width="1%" nowrap>
+                    <input type="radio" name="serverSecurityRequired" value="notreq" id="rb09" onclick="showOrHide('server_custom', 'hide')"
+                     <%= ("notreq".equals(serverSecurityRequired) ? "checked" : "") %>>
+                </td>
+                <td width="99%">
+                    <label for="rb09">
+                    <b><fmt:message key="ssl.settings.server.label_notrequired" /></b> - <fmt:message key="ssl.settings.server.label_notrequired_info" />
+                    </label>
+                </td>
+            </tr>
+            <tr valign="middle">
+                <td width="1%" nowrap>
+                    <input type="radio" name="serverSecurityRequired" value="req" id="rb10" onclick="showOrHide('server_custom', 'hide')"
+                 <%= ("req".equals(serverSecurityRequired) ? "checked" : "") %>>
+                </td>
+                <td width="99%">
+                    <label for="rb10">
+                    <b><fmt:message key="ssl.settings.server.label_required" /></b> - <fmt:message key="ssl.settings.server.label_required_info" />
+                    </label>
+                </td>
+            </tr>
+            <tr valign="middle">
+                <td width="1%" nowrap>
+                    <input type="radio" name="serverSecurityRequired" value="custom" id="rb11" onclick="showOrHide('server_custom', 'show')"
+                     <%= ("custom".equals(serverSecurityRequired) ? "checked" : "") %>>
+                </td>
+                <td width="99%">
+                    <label for="rb11">
+                    <b><fmt:message key="ssl.settings.server.label_custom" /></b> - <fmt:message key="ssl.settings.server.label_custom_info" />
+                    </label>
+                </td>
+            </tr>
+            <tr valign="top" id="server_custom" <% if (!"custom".equals(serverSecurityRequired)) out.write("style=\"display:none\""); %>>
+                <td width="1%" nowrap>
+                    &nbsp;
+                </td>
+                <td width="99%">
+                    <table cellpadding="3" cellspacing="0" border="0" width="100%">
+                    <tr valign="top">
+                        <td width="1%" nowrap>
+                            <fmt:message key="ssl.settings.server.dialback" />
+                        </td>
+                        <td width="99%">
+                            <input type="radio" name="dialback" value="notavailable" id="rb12" <%= ("notavailable".equals(dialback) ? "checked" : "") %>
+                                   onclick="this.form.serverSecurityRequired[2].checked=true;">&nbsp;<label for="rb12"><fmt:message key="ssl.settings.notavailable" /></label>&nbsp;&nbsp;
+                            <input type="radio" name="dialback" value="available" id="rb13" <%= ("available".equals(dialback) ? "checked" : "") %>
+                                   onclick="this.form.serverSecurityRequired[2].checked=true;">&nbsp;<label for="rb13"><fmt:message key="ssl.settings.available" /></label>
+                        </td>
+                    </tr>
+                    <tr valign="top">
+                        <td width="1%" nowrap>
+                            <fmt:message key="ssl.settings.server.customTLS" />
+                        </td>
+                        <td width="99%">
+                            <input type="radio" name="server_tls" value="notavailable" id="rb14" <%= ("notavailable".equals(server_tls) ? "checked" : "") %>
+                                   onclick="this.form.serverSecurityRequired[2].checked=true;">&nbsp;<label for="rb14"><fmt:message key="ssl.settings.notavailable" /></label>&nbsp;&nbsp;
+                            <input type="radio" name="server_tls" value="optional" id="rb15" <%= ("optional".equals(server_tls) ? "checked" : "") %>
+                                   onclick="this.form.serverSecurityRequired[2].checked=true;">&nbsp;<label for="rb15"><fmt:message key="ssl.settings.optional" /></label>&nbsp;&nbsp;
+                        </td>
+                    </tr>
+                    </table>
+                </td>
+            </tr>
+        </tr>
+    </tbody>
+    </table>
+    </div>
+</fieldset>
+<br>
+
+<input type="submit" name="update" value="<fmt:message key="global.save_settings" />">
+
+</form>
+
 <br><br>

 <p><b><fmt:message key="ssl.settings.certificate" /></b></p>