If you already installed ejabberd 15.07 Windows installer but have post installation issue, you’d better give the updated installer a try.
It is still ejabberd 15.07, so installer name does not change, but new package brings improved scripts.
With few minor fixes, this installer now supports:
– Windows Server 2008 and higher
– Program Files on another drive than C:
– Fix PATH issue on some edges cases
You can download it from ejabberd download page.
While there has long been support in Openfire for early versions of XMPP over WebSocket (per Dele's fine original plugin, and also via OfMeet), the final specification (RFC 7395) had not yet been implemented ... until now! We have just released a new Openfire plugin that is compliant with the latest specs, extending the core BOSH component with a WebSocket upgrade capability where supported. Older browsers that do not support WebSocket may continue to use BOSH (HTTP long polling) as a fallback connection protocol.
The new Openfire WebSocket plugin has been tested using the Stanza.io library and is ready for immediate use. It is available for download via the Openfire plugins page or directly via the "Available Plugins" page within your local admin console. Feel free to leave feedback here in the comments or post questions to the Ignite Realtime Community site.
We have two small changes to our evaluation guide series to announce (with many more coming soon).
Our core XMPP Messaging Evaluation Guide, using our M-Link XMPP server and M-Vault LDAP directory, now includes a section on adding a Security Policy to your XMPP service. In this new section we show you how to add a the policy to your service and clearances to your users. You can additionally apply label based controls to multi-user chat, domains and peer services (all of which and more is covered in the M-Link Admin Guide).
The Security Policy we use in the evaluation guide is one of the demonstration policies we ship with M-Link but, if you want to create your own, you can now get started with the new SPIF Editor Evaluation Guide. A SPIF (Security Policy Information File) is a file representation of a Security Policy, in other words the definition of which labels are valid and how to check them against clearances. This new evaluation guide will show you how to create your own basic SPIF using the Isode SPIF editor tool.
This article was initially published in French, and it got some interest, so we started to translate the whole series in English. If you can read French, you can follow the whole series there: http://www.goffi.org/tag/parlons_xmppThe translation to English was done thanks to: Poulet, Éfrit, Paco and mbarbarosa and Weyfonk. The whole series is under CC By-SA, and any help would be appreciated to help with the translation of next articles.
Monday evening we had a particularly nasty outage: JWT authentication was broken, preventing anyone from using our HTTP API to publish data. The reason we didn't catch this early on is because our manual test scripts turned out to be broken (reporting auth success when auth had failed.. yeesh!), and there was no authentication coverage in our external monitoring to fall back on.
In a perfect world, our external monitoring would test authentication. I'm happy to report that we are now doing this with Runscope! Getting this to work right was a little tricky since we use JWT, but it was made possible thanks to Runscope's scripting feature.
This article was initially published in French, and it got some interest, so we started to translate the whole series in English. If you can read French, you can follow the whole series there: http://www.goffi.org/tag/parlons_xmpp
This month’s ejabberd release contains many fixes and a few improvements. This is a consolidation release that help us pave the way to exciting new features coming at end of the summer.
Since we released our Message Archive Management support in ejabberd 15.06, we have been impressed by how quickly our users did adopt this features. It helps us make the implementation more robust and more complete, thanks to your feedback. This release thus improves ejabberd mod_mam.
We have also been very happy by the feedback received on our brand new installer for Windows, and for the .deb and .rpm packages. They are still beta, but thanks to your feedback, we could improve them tremendously. So, keep the feedback coming !
And of course, all this work on installers help us improve our tool to deploy and build ejabberd contributed modules. Contributed modules can now include their own configuration snippet, which are dynamically loaded by ejabberd.
Overall, this version should be easier and even more enjoyable to run and we all hope you will like the progress.Changes Message Archive Management (XEP-0313)
Both RPM and DEB now are using the improved post-install script which creates ejabberd user when installing as root. This let ejabberd running as user without any manual setup.
Windows installer now uses %USERPROFILE% to get path of user writable directory. We made numerous other fixes to that version, thanks to your feedback.
As usual, the release is tagged in the Git source code repository on Github.
The source package and binary installers are available at ProcessOne.
If you suspect that you’ve found a bug, please search or fill a bug report on Github.
VCard stores the information of a User which is retrieved at the time when the roster is recieved. And Implement Read for Sensor Devices.Work
Suffer no more !
Enter the world of cocoapod: you are just 2 words away of your next iso chat client.
See more and download example here
We are proud to be launching the Advanced Erlang Initiative, a new group of companies that use Erlang as a strategic technology to craft great products. Erlang ecosystems rely on those publishers that are producing person/years worth of code to build excellent products.
The Advanced Erlang Initiative recognises that those products in turn contribute to the fame of the Erlang platform. They help pushing the limits and contribute to the fame of our beloved programming language. Most of all, the Advanced Erlang Initiative acknowledges peoples energy and effort put in those great products to the good of every Erlang developer. We have created a forum for developers working with and contributing to those tools to meet and discuss their work.
The Advanced Erlang Initiative welcomes all developers that share our passion for Erlang, Elixir, the beam environment and our vision of technical excellence.
Our initiative is primarily centered around inexpensive highly technical workshops given around the world and educational videos on our Erlang products.
The first two members are:
We are happy to meet you on the newly launched website Advanced-Erlang
We are already taking registration for the first two workshops:
More to come soon !
Enjoy and see you there after the summer break !
We have just released the second Swift 3.0 beta. Apart from several bugfixes, highlights include an emoticons menu in chat dialogs, bookmark for rooms can now be edited directly from the ‘Recent Chats’ list and rooms entered while offline will now get entered on reconnect.
Have a look at the changelog for a list of all the new features since 2.0.
We encourage everyone to get the new build and try it out, and tell us about any bugs they should come across.
Implementation of Mobile Application (Login, Roster and Presence).Work
It was some work, but finally we reached a state, where DNSSEC in minidns is fully usable*.What happened?
Summarizing everything done as part of the Google Summer of Code so far gives us a pretty long list of features:
Testing. Yes that’s a main thing to do. As announced in this blogs first post, we want our DNSSEC implementation to be fully tested. Until now our test coverage is still less than 60%.
Another feature that is missing in the current implementation of minidns-dnssec, is verification signatures made using DSA or ECDSA keys. Currently this is done by a small number of DNSSEC systems and the feature is marked as optional, none the less it is an interesting feature.
Google Summer of Code is still a month to go, so I am certain these problems can be tackled in time and we can see DNSSEC used in smack and OpenKeychain until then.
With great help from Florian, my mentor and some research I was able to get the XMPPLLConnection and XMPPLLConfiguration work together. So a user can now create an XMPPLLConfiguration that takes some basic information about the presence and it can passed to the XMPPLLConnection’s constructor to establish a new link-local connection.
User can then call XMPPLLConnection#announcePresence() to broadcast the presence info on the network so that other clients listening to it can get it.
Here is a small demo of what is currently happening. Youtube – Announce Presence Test
What am I planning next?
Add sockets to the XMPPLLConnection and start listening for connections on them. As I am new to socket programming, I have been given a small task by my mentor to Learn basics of Socket Programming that I have completed and now waiting for his review. I am also looking into the java.nio package tutorials online.
Got JmDNS Working in the code and tested it with Gajim on a Ubuntu VM. Written and tested POC implementations for announcing presence, discovering presences and concealing presences on the link local network.
Currently working on the implementation of the XMPPLLConnection and XMPPLLConnectionConfiguration to enable developers to use this API in Smack to initiate Link-Local connections.
As a default, ejabberd is secured and resistant to logjam attacks. However, ejabberd 15.06 adds improvements that makes ejabberd even more resistant to future attacks.
We hope you will find valuable information there, even from a general XMPP security standpoint.What is logjam security issue ?
In may 2015, a team of researchers (Henninger et. al) published a paper explain two possible weakness in client / server communication encryption (“Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice”) .
The paper covers two issues the team uncovered:
The TLS protocol vulnerability can allow to downgrade security to 512-bit DHE_EXPORT keys with a man-in-the-middle attack. It requires the attacker to be in the same network and have access to network routing to perform the attack. This is condition that are difficult to reproduce, except on public wifi for example or mobile connections.
However, ejabberd default configuration forbids a set a weak ciphers. The default configuration in ejabberd bans export weak ciphers and a few others: "DEFAULT:!EXPORT:!LOW:!RC4:!SSLv2"
It means that using ejabberd with default setting is safe.
In case you are using custom cipher list in your ejabberd configuration, please, make sure you do not explicitly allow EXPORT ciphers in you configuration file.Attack on small Diffie-Hellman groups
The researchers have shown that small 512-bit or 1024-bit Diffie-Helman prime groups are vulnerable to attack under the following circumstances: Many server comes preconfigured with 512 or 1024-bit prime group. Precomputing an attack against very common small groups mean that someone with access to the network could eavedrop on connections. Even if cost to precompute attack on a single 1024-bit prime are extremely expensive, it is recommended to be on the safe side (and future proof) to generate your own DH parameters.
At the moment, as ejabberd does not allow as default ‘export’ cipher, you are still safe. However, we recommend in our best practices to set your own DH parameters, as allowed in ejabberd Community Edition 15.06.Using your own Diffie-Helman parameters with ejabberd
To generate your own parameters DH you can generate a .pem file with:openssl dhparam -out dhparams.pem 2048
Then, simply tell ejabberd to use your own 2048-bit prime DH group by adding the following entries in your listener configuration file and global parameters for outgoing s2s connections:listen: - port: 5222 module: ejabberd_c2s access: c2s shaper: c2s_shaper starttls: true certfile: "/etc/ejabberd/server.pem" dhfile: "/etc/ejabberd/dhparams.pem" max_stanza_size: 65536 - port: 5223 module: ejabberd_c2s access: c2s shaper: c2s_shaper tls: true max_stanza_size: 65536 - port: 5269 ip: "::" module: ejabberd_s2s_in shaper: s2s_shaper max_stanza_size: 131072 # For s2s connection, you need a global parameter: s2s_certfile: "/etc/ejabberd/server.pem" s2s_dhfile: "/etc/ejabberd/dhparams.pem" Conclusion
ejabberd team always work hard to make ejabberd highly secure and follow the state of the art practices in term of security. As security is highly depend on computing power available at any given time, we do our best to anticipate to make sure you will stay on the safe side for the years to come.
However, there is no emergency in implementing our recommendations. These are the best practice that you should look forward implementing as your time allows.