tuxad blog

Jabberd2 2.2.17 (also used by Apple's ChatServer) allows StartTLS to be configured as mandatory. A "required" StartTLS on the c2s component (client to server) is well documented and works fine. But for the s2s component you will just see a short notice on the configuration template. To enable it you must set "require_tls" in s2s.xml:

<security>
  <!-- Require TLS secured S2S connections -->
  <require_tls/>
</security>

But if you enable it you will maybe notice that it does not work. You can test and prove this malfunction with the IM Observatory.

To fix this bug and add the forgotten function you only need a small patch to s2s/in.c:

@@ -142,8 +142,12 @@
 
     flags = S2S_DB_HEADER;
 #ifdef HAVE_SSL
-    if(s2s->sx_ssl != NULL)
+    if(s2s->sx_ssl != NULL) {
         flags |= SX_SSL_STARTTLS_OFFER;
+        if (s2s->require_tls) {
+            flags |= SX_SSL_STARTTLS_REQUIRE;
+        }
+    }
 #endif
 #ifdef HAVE_LIBZ
     if(s2s->compression)

For RHEL / CentOS 5 there is an enhanced and already fixed jabberd RPM package (SRPM) in the tuxad repo available.

Update 2015-08-09: The package is included in the tuxad repo.

The new tuxad repo contains a most up-to-date version of the loudmouth XMPP/Jabber library.

The last "maintained" version of loudmouth is available at the mcabber github repository. Actually loudmouth is currently not officially maintained but fixes and new patches are provided by mcabber.

The tuxad loudmouth package (Devel- and Source-RPM) has an additional patch to enable TLSv1.1 and TLSv1.2 and disable SSLv3.

Update 2015-08-09: The package is included in the tuxad repo.

A new yum repository is available: The "tuxad" repo provides additional Packages for RHEL 5 / CentOS 5 on arch i386.

It contains packages with modern encryption (= OpenSSL Version >= 0.98), XMPP (jabber) server and client, updated RHEL packages, small alternative shells, monitoring software ngtx, DJB software and more:

• ash
• daemontools
• djbdns
• dovecot
• enchant
• enchant-aspell
• enchant-devel
• enchant-voikko
• fnord
• fuse-sshfs
• glib216
• glib216-devel
• heirloom-sh
• hunspell
• hunspell-devel
• jabberd
• libmalaga
• libvoikko
• libvoikko-devel
• loudmouth
• loudmouth-devel
• malaga
• malaga-devel
• malaga-suomi-voikko
• mcabber
• mcabber-devel
• mu-conference
• ngtx
• ngtx-monitoringfs
• openssl
• openssl1
• postfix
• python-libvoikko
• rman
• shish
• ucspi-tcp
• voikko-tools

The RPM package to activate and configure this repo is tuxad-release-5-1.noarch.rpm.

To install i.e. the enhanced version of the dovecot package you must disable your default RHEL/CentOS repository while installing, example:

# yum repolist
Loaded plugins: installonlyn, security
repo id    repo name                               status
Server     rhel5 - Server                          2.639
epel       Extra Packages for Enterprise Linux 5   6.161
tuxad      Extra Packages for Enterprise Linux 5   48
repolist: 8.848
# yum --disablerepo=Server install dovecot
Loaded plugins: installonlyn, security
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package dovecot.i386 0:1.0.7-8.el5_9.1.log set to be
--> Processing Dependency: libcrypto.so.10(libcrypto.so.10 
--> Processing Dependency: libssl.so.10 for package: dovec
--> Processing Dependency: libssl.so.10(libssl.so.10) for
--> Processing Dependency: libcrypto.so.10 for package: d
--> Running transaction check
---> Package openssl1.i686 0:1.0.1e-30.el5_9.4 set to be
--> Finished Dependency Resolution

Dependencies Resolved

=======================================================
 Package    Arch   Version             Repository Size
=======================================================
Installing:
 dovecot    i386   1.0.7-8.el5_9.1.log tuxad      1.9 M
Installing for dependencies:
 openssl1   i686   1.0.1e-30.el5_9.4   tuxad      3.4 M

Transaction Summary
=======================================================
Install       2 Package(s)
Upgrade       0 Package(s)

Total download size: 5.3 M