-
raj
hi i trying to connect my ejabberd localhost server from my xmpp client with smack lib but it will not connected other client applications (Ex : Simple xmpp client) are getting connected after enable the TLS my question is how to enable the TLS in my xmpp client app Please help to resolve the issue..
-
pep.
raj, it's not possible with normal CAs to get valid certificates for "localhost". You can either generate a self-signed certificate and place it in you store, or point a domain at your machine and generate a cert for that domain, or disable TLS
-
raj
may i want to know how to disable the TLS in my localhost ejabberd server Please help me ..✎ -
raj
thanks for your replay pep. may i want to know how to disable the TLS in my localhost ejabberd server Please help me .. ✏
-
pep.
I don't use ejabberd sorry, wait a bit for someone else to see this :)
-
Kev
I expect the ejabberd documentation will likely have this.
-
jonas’
or the client configuration
-
jonas’
it’s probably easier to turn off TLS verification in the client than disabling TLS in the server and then convincing both the server and the client that doing PLAIN auth over non-TLS is a good idea
-
Alex
I am not that familiar with smack,but many other libs have callbacks for cert validation where you can accept also invalid certificates for development,or trust all untrusted certs by default
-
Ge0rG
raj: https://github.com/yaxim-org/yaxim/blob/master/src/org/yaxim/androidclient/service/SmackableImp.java#L260-L266
-
Ge0rG
Alex: just don't do *that*
-
raj
thanks to all this link is hole client server communication is correct?
-
Alex
Ge0rG: for dev purposes, of course not for production software
-
Ge0rG
Alex: those are the famous last words
-
Ge0rG
I've seen one too many app in production with the AcceptAllTrustManager
-
flow
I would suggest to use TLS cert pinning instead of accepting all certificates for the reasons Ge0rG mentioned. For java (and smack) there is https://github.com/Flowdalic/java-pinning
-
flow
raj, in case you are using java client side ^
-
Ge0rG
as raj mentioned smack, I'd assume so
-
ralphm
Kev: the problem with (my modified) mod_block_strangers is that in MUCs you send presence to your occupant JID, but the MAM messages come from the room JID. AFAIK, I can not easily check if I have directed presence to the occupant JID when a MAM message comes in :-(
-
ralphm
Maybe MattJ or other Prosody devs have ideas.
-
Kev
I think the implication is that if you uncloak to a resource, you accept stanzas from bare/full* for that JID.
-
Kev
Or were you saying that the internal API means you can't tell this?
-
ralphm
I was saying that I believe that's the case. But might be wrong.
-
Kev
Ah, ok.
-
ralphm
The initial check looks like this: ```if to_user and not has_directed_presence(stanza.attr.to, from_jid) and not is_contact_subscribed(to_user, or stanza.name == "iq" and (stanza.attr.type == "result" or stanza.attr.type == "error") then | to_host, from_jid)```
-
ralphm
oops
-
ralphm
that's two windows.
-
ralphm
```if to_user and not has_directed_presence(stanza.attr.to, from_jid) and not is_contact_subscribed(to_user, to_host, from_jid) then```
-
Zash
ralphm: You directed presence goes to the full JID but you wanna compare on bare jid because MUC MAM comes from that? https://modules.prosody.im/mod_track_muc_joins.html can help you keep track
-
ralphm
Zash: I tried this instead. Haven't tested it, yet, but what do you think? http://hg.ik.nu/ralphm/prosody-modules/rev/fe1476379d0a
-
ralphm
I think I basically compare all the directed presence on the bare JID instead of the potential full JID for MUCs. I noticed that there's a comment in mod_presence where directed presence is recorded: `FIXME does it make more sense to add to_bare rather than to?`.
-
Zash
Change looks fine
-
ralphm
Seems to work. I used Snikket to send a message to my normal JID. Didn't pass. Then accepted the presence request, and the next message succeeded.
-
ralphm
Also got MAM history from the prosody channel.