Greetings-
I have installed ejabberd 1.1.4 on a Red Hat Enterprise Linux 5 x64 server using the Linux .bin file. I have been successful in configuring ejabberd in every way except using the TSL connection at all. I have been able to connect via SSL on port 5222 and 5223 with Linux and Windows versions of Pidgin. If I configure port 5222 (or any other port for that matter) like so...
{5222, ejabberd_c2s, [{access, c2s}, {shaper, c2s_shaper}, tls, {certfile, "/opt/ejabberd-1.1.4/conf/server.pem"}]}
...my clients cannot connect no matter what I try on them. I have noticed that the sasl.log shows the following...
=PROGRESS REPORT==== 8-Nov-2007::15:44:13 ===
application: ejabberd
started_at: ejabberd@localhost
=CRASH REPORT==== 8-Nov-2007::15:44:33 ===
crasher:
pid: <0.387.0>
registered_name: []
error_info: {{case_clause,{error,{open_error,-10}}},
[{tls,tcp_to_tls,2},
{ejabberd_c2s,init,1},
{gen_fsm,init_it,6},
{proc_lib,init_p,5}]}
initial_call: {gen,init_it,
[gen_fsm,
<0.223.0>,
self,
ejabberd_c2s,
[{gen_tcp,#Port<0.286>},
[{access,c2s},
{shaper,c2s_shaper},
tls,
{certfile,"/opt/ejabberd-1.1.4/conf/server.pem"}]],
[]]}
ancestors: [<0.223.0>,ejabberd_listeners,ejabberd_sup,<0.37.0>]
messages: []
links: []
dictionary: []
trap_exit: false
status: running
heap_size: 610
stack_size: 21
reductions: 2112
neighbours:
=CRASH REPORT==== 8-Nov-2007::15:44:33 ===
crasher:
pid: <0.223.0>
registered_name: []
error_info: {{badmatch,{error,{{case_clause,{error,{open_error,-10}}},
[{tls,tcp_to_tls,2},
{ejabberd_c2s,init,1},
{gen_fsm,init_it,6},
{proc_lib,init_p,5}]}}},
[{ejabberd_listener,accept,3},{proc_lib,init_p,5}]}
initial_call: {ejabberd_listener,
init,
[5222,
ejabberd_c2s,
[{access,c2s},
{shaper,c2s_shaper},
tls,
{certfile,"/opt/ejabberd-1.1.4/conf/server.pem"}]]}
ancestors: [ejabberd_listeners,ejabberd_sup,<0.37.0>]
messages: []
links: [#Port<0.286>,<0.222.0>,#Port<0.251>]
dictionary: []
trap_exit: false
status: running
heap_size: 377
stack_size: 21
reductions: 621
neighbours:
=SUPERVISOR REPORT==== 8-Nov-2007::15:44:33 ===
Supervisor: {local,ejabberd_listeners}
Context: child_terminated
Reason: {{badmatch,{error,{{case_clause,{error,{open_error,-10}}},
[{tls,tcp_to_tls,2},
{ejabberd_c2s,init,1},
{gen_fsm,init_it,6},
{proc_lib,init_p,5}]}}},
[{ejabberd_listener,accept,3},{proc_lib,init_p,5}]}
Offender: [{pid,<0.223.0>},
{name,5222},
{mfa,
{ejabberd_listener,
start,
[5222,
ejabberd_c2s,
[{access,c2s},
{shaper,c2s_shaper},
tls,
{certfile,
"/opt/ejabberd-1.1.4/conf/server.pem"}]]}},
{restart_type,transient},
{shutdown,brutal_kill},
{child_type,worker}]
=PROGRESS REPORT==== 8-Nov-2007::15:44:33 ===
supervisor: {local,ejabberd_listeners}
started: [{pid,<0.388.0>},
{name,5222},
{mfa,
{ejabberd_listener,
start,
[5222,
ejabberd_c2s,
[{access,c2s},
{shaper,c2s_shaper},
tls,
{certfile,
"/opt/ejabberd-1.1.4/conf/server.pem"}]]}},
{restart_type,transient},
{shutdown,brutal_kill},
{child_type,worker}]
...while the simply shows that the connection was accepted...
=INFO REPORT==== 2007-11-08 15:44:33 ===
I(<0.223.0>:ejabberd_listener:90): (#Port<0.286>) Accepted connection {{160,76,51,105},2598} -> {{160,76,92,48},5222}Again, I haven't loaded anything "special" on my server and the binary install of ejabberd 1.1.4 works just fine...except for the TSL. I would be happy with SSL but everywhere I read that it's obsolete and I wouldn't mind my users not having to deal with forcing their clients to SSL. Any idea what I'm doing wrong?
Summary of STARTTLS, TLS and SSL options.
I have been successful in configuring ejabberd in every way except using the TSL connection at all. I have been able to connect via SSL on port 5222 and 5223 with Linux and Windows versions of Pidgin. If I configure port 5222 (or any other port for that matter) like so...
Jabber/XMPP propose three encryption methods:
As defined in ejabberd Guide, ejabberd allows those options when defining a listening socket:
As you can see, the option 'tls' in ejabberd is used to set a SSL connection, not STARTTLS. This obviously leads to confusion. However, ejabberd.cfg.example is quite clear to this respect:
{listen, [{5222, ejabberd_c2s, [{access, c2s}, {shaper, c2s_shaper}, {max_stanza_size, 65536}, starttls, {certfile, "./ssl.pem"}]}, {5223, ejabberd_c2s, [{access, c2s}, {max_stanza_size, 65536}, tls, {certfile, "./ssl.pem"}]}, % Use these two lines instead if TLS support is not compiled %{5222, ejabberd_c2s, [{access, c2s}, {shaper, c2s_shaper}]}, %{5223, ejabberd_c2s, [{access, c2s}, ssl, {certfile, "./ssl.pem"}]},Please follow this example and don't make weird experiments like putting 'tls' in the port 5222. Probably that will solve your problem.
Problem persists
I wasn't trying to make weird experiments but was only trying anything I could think of to get the server to work. Here's what I see happening. If I configure the port like this (unmodified from the sample config)...
{5222, ejabberd_c2s, [{access, c2s}, {max_stanza_size, 65536}, {shaper, c2s_shaper}]},...my clients can connect. If I configure the port like you said...
{5222, ejabberd_c2s, [{access, c2s}, {max_stanza_size, 65536}, {shaper, c2s_shaper}, starttls, {certfile, "/opt/ejabberd-1.1.4/conf/server.pem"}]},...and my clients get "Read Error" when they try to connect. If I change it slightly to...
{5222, ejabberd_c2s, [{access, c2s}, {max_stanza_size, 65536}, {shaper, c2s_shaper}, ssl, {certfile, "/opt/ejabberd-1.1.4/conf/server.pem"}]},...and change my clients to use SSL, they connect just fine. My question is: How do I find out what is wrong with the "starttls" potion of ejabberd and what I can I do to fix it?
Three possible errors
If I configure the port like you said...
{5222, ejabberd_c2s, [{access, c2s}, {max_stanza_size, 65536}, {shaper, c2s_shaper}, starttls, {certfile, "/opt/ejabberd-1.1.4/conf/server.pem"}]},...and my clients get "Read Error" when they try to connect.
My question is: How do I find out what is wrong with the "starttls" potion of ejabberd and what I can I do to fix it?
You didn't mention what error messages report ejabberd when you set 'starttls'.
With the information you provided, I consider several possibilities to explain the error:
This is the error that
This is the error that appears in logs/sasl.log:
=CRASH REPORT==== 13-Nov-2007::10:30:30 === crasher: pid: <0.36.0> registered_name: [] error_info: {bad_return,{{ejabberd_app,start,[normal,[]]}, {'EXIT',["118", 58, 32, ["syntax error before: ",["'{'"]]]}}} initial_call: {application_master, init, [<0.5.0>, <0.35.0>, {appl_data, ejabberd, [ejabberd, ejabberd_sup, ejabberd_auth, ejabberd_router, ejabberd_sm, ejabberd_s2s, ejabberd_local, ejabberd_listeners, ejabberd_iq_sup, ejabberd_service_sup, ejabberd_s2s_out_sup, ejabberd_s2s_in_sup, ejabberd_c2s_sup, ejabberd_mod_roster, ejabberd_mod_echo, ejabberd_mod_pubsub, ejabberd_mod_irc, ejabberd_mod_muc, ejabberd_offline, random_generator], undefined, {ejabberd_app,[]}, [acl, configure, cyrsasl, cyrsasl_digest, cyrsasl_plain, ejabberd, ejabberd_app, ejabberd_auth, ejabberd_c2s, ejabberd_config, ejabberd_listener, ejabberd_logger_h, ejabberd_local, ejabberd_router, ejabberd_s2s, ejabberd_s2s_in, ejabberd_s2s_out, ejabberd_service, ejabberd_sm, ejabberd_sup, ejabberd_tmp_sup, gen_iq_handler, gen_mod, jd2ejd, jlib, mod_configure, mod_disco, mod_echo, mod_last, mod_offline, mod_private, mod_register, mod_roster, mod_stats, mod_time, mod_vcard, mod_version, randoms, sha, shaper, translate, xml, xml_stream], [], infinity, infinity}, normal]} ancestors: [<0.35.0>] messages: [] links: [<0.35.0>,<0.37.0>,<0.5.0>] dictionary: [] trap_exit: true status: running heap_size: 610 stack_size: 21 reductions: 99 neighbours:Does the "syntax error" refer to the config file? ...or somewhere else? As far as the installer goes, I used the one here...
...which I would assume is for a 64-bit server. Here is the ls you asked for showing the tls_drv.so:
As far as the cert goes, it works okay with SSL so I would think it would work for TLS. Maybe not so I'll try to create a new one but maybe the error above can shed some light on my problem who's more familiar with the working of ejabberd. Thanks for your help.
Syntax error in ejabberd.cfg
This is the error that appears in logs/sasl.log:
=CRASH REPORT==== 13-Nov-2007::10:30:30 === crasher: pid: <0.36.0> registered_name: [] error_info: {bad_return,{{ejabberd_app,start,[normal,[]]}, {'EXIT',["118", 58, 32, ["syntax error before: ",["'{'"]]]}}} initial_call: {application_master, init, [<0.5.0>, <0.35.0>,Does the "syntax error" refer to the config file? ...or somewhere else?
Yes, the error message is probably related to a syntax error in ejabberd.cfg. I see a similar message if I put:
{5223, ejabberd_c2s, [{access, c2s} {max_stanza_size, 65536}]},Note that in this example, I removed a comma after 'c2s}'. The small pieces of config you pasted here are correct. The syntax error may be were you put those lines.
Above???
Check out my reply that's probably up above titled "More Help?". I've pasted my entire config and a different error.
same problem on FreeBSD
I use FreeBSD 6.2 AMD64 (64 bit version) and I have the same issues.
I cannot use TLS or STARTTL, same issue as discussed here. When using STARTTLS, I can connect once, and after the client disconnects, I cannot connect again without restarting ejabberd.
The same config worked fine on FreeBSD 6.2 I386 (32 bit version).
In fact I migrated my working ejabberd configuration files from the 32bit version over the 64bit version.
So it's not a config file issue, something is broken with SSL on 64bit platforms.
Erlang issue?
I think i might have isolated the issue.
Those that didn't work are on Erlang 12, the one that worked in on Erlang 11
Have not managed to verify for sure.
Noust 64 bit
I'm seeing the problem with 32 bit as well. Erlang 12b2.
More help?
I have created a new cert (newserver.pem) and migrated my data to a MySQL database. The server starts up just fine but I am getting a different error when clients try to connect:
=CRASH REPORT==== 15-Nov-2007::14:59:55 ===crasher:
pid: <0.312.0>
registered_name: []
error_info: {{case_clause,{error,{open_error,-10}}},
[{tls,tcp_to_tls,2},
{ejabberd_c2s,wait_for_feature_request,2},
{gen_fsm,handle_msg,7},
{proc_lib,init_p,5}]}
initial_call: {gen,init_it,
[gen_fsm,
<0.235.0>,
self,
ejabberd_c2s,
[{gen_tcp,#Port<0.321>},
[{access,c2s},
{max_stanza_size,65536},
{shaper,c2s_shaper},
starttls,
{certfile,"/opt/ejabberd-1.1.4/conf/newserver.pem"}]],
[]]}
ancestors: [<0.235.0>,ejabberd_listeners,ejabberd_sup,<0.37.0>]
messages: []
links: []
dictionary: []
trap_exit: false
status: running
heap_size: 987
stack_size: 21
reductions: 1295
neighbours:
The ejabberd.cfg is as follows:
{acl, admin, {user, "admin"}}.{acl, local, {user_regexp, ""}}.
{access, pubsub_createnode, [{allow, all}]}.
{access, configure, [{allow, admin}]}.
{access, register, [{allow, all}]}.
{welcome_message, none}.
{access, announce, [{allow, admin}]}.
{access, c2s, [{deny, blocked},
{allow, all}]}.
{shaper, normal, {maxrate, 1000}}.
{shaper, fast, {maxrate, 50000}}.
{access, c2s_shaper, [{none, admin},
{normal, all}]}.
{access, s2s_shaper, [{fast, all}]}.
{access, muc_admin, [{allow, admin}]}.
{access, muc, [{allow, all}]}.
{access, local, [{allow, local}]}.
{hosts, ["j2.alegent.org"]}.
{max_user_sessions, 10}.
{auth_method, odbc}.
{odbc_server, {mysql, "localhost", "ejabberd", "ejabberd", "XMPP"}}.
{language, "en"}.
{listen, [
{5222, ejabberd_c2s, [{access, c2s}, {max_stanza_size, 65536}, {shaper, c2s_shaper}, starttls, {certfile, "/opt/ejabberd-1.1.4/conf/newserver.pem"}]},
{5223, ejabberd_c2s, [{access, c2s}, {max_stanza_size, 65536}, {shaper, c2s_shaper}, tls, {certfile, "/opt/ejabberd-1.1.4/conf/newserver.pem"}]},
{5280, ejabberd_http, [http_poll, web_admin, tls, {certfile, "/opt/ejabberd-1.1.4/conf/newserver.pem"}]}
]}.
{outgoing_s2s_port, 5269}.
{modules,
[
{mod_register, [{access, register}]},
{mod_roster_odbc, []},
{mod_privacy, []},
{mod_adhoc, []},
{mod_configure, []}, % Depends on mod_adhoc
{mod_configure2, []},
{mod_disco, []},
{mod_stats, []},
{mod_vcard_odbc, [{search, true}, {matches, infinity}, {allow_return_all, true}]},
{mod_offline_odbc, []},
{mod_announce, [{access, announce}]}, % Depends on mod_adhoc
{mod_echo, [{host, "echo.j2.alegent.org"}]},
{mod_private, []},
{mod_muc, [{access, muc}, {access_create, muc}, {access_admin, muc_admin}, {history_size, 10}]},
{mod_shared_roster, []},
{mod_pubsub, [{access_createnode, pubsub_createnode}]},
{mod_time, []},
{mod_last_odbc, []},
{mod_version, []}
]}.
Am I doing something wrong here?
Problem reading tls_drv.so
The ejabberd.cfg is as follows:
Am I doing something wrong here?
The syntax of your config file seems correct. For that reason ejabberd can start correctly.
I installed ejabberd svn, created a certificate and everything worked fine. Then, I started to delete files, change permissions, and I annotated the error messages reported by ejabberd. Here they are:
** Reason for termination = ** {{badmatch,{error,"SSL_CTX_use_certificate_file failed: error:02001002:system library:fopen:No such file or directory"}}, [{ejabberd_socket,starttls,3}, {ejabberd_c2s,wait_for_feature_request,2}, {gen_fsm,handle_msg,7}, {proc_lib,init_p,5}]}** Reason for termination = ** {{badmatch,{error,"SSL_CTX_use_certificate_file failed: error:0200100D:system library:fopen:Permission denied"}}, [{ejabberd_socket,starttls,3}, {ejabberd_c2s,wait_for_feature_request,2}, {gen_fsm,handle_msg,7}, {proc_lib,init_p,5}]}** Reason for termination = ** {{badmatch,{error,"SSL_CTX_use_certificate_file failed: error:0906D06C:PEM routines:PEM_read_bio:no start line"}}, [{ejabberd_socket,starttls,3}, {ejabberd_c2s,wait_for_feature_request,2}, {gen_fsm,handle_msg,7}, {proc_lib,init_p,5}]}** Reason for termination = ** {{badmatch,{error,"SSL_CTX_use_certificate_file failed: error:0906D066:PEM routines:PEM_read_bio:bad end line"}}, [{ejabberd_socket,starttls,3}, {ejabberd_c2s,wait_for_feature_request,2}, {gen_fsm,handle_msg,7}, {proc_lib,init_p,5}]}** Reason for termination = ** {{badmatch,{error,"SSL_CTX_use_PrivateKey_file failed: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag"}}, [{ejabberd_socket,starttls,3}, {ejabberd_c2s,wait_for_feature_request,2}, {gen_fsm,handle_msg,7}, {proc_lib,init_p,5}]}** Reason for termination = ** {{case_clause,{error,{open_error,-10}}}, [{tls,tcp_to_tls,2}, {ejabberd_socket,starttls,3}, {ejabberd_c2s,wait_for_feature_request,2}, {gen_fsm,handle_msg,7}, {proc_lib,init_p,5}]}I have created a new cert (newserver.pem) and migrated my data to a MySQL database. The server starts up just fine but I am getting a different error when clients try to connect:
=CRASH REPORT==== 15-Nov-2007::14:59:55 ===crasher:
pid: <0.312.0>
registered_name: []
error_info: {{case_clause,{error,{open_error,-10}}},
[{tls,tcp_to_tls,2},
{ejabberd_c2s,wait_for_feature_request,2},
{gen_fsm,handle_msg,7},
{proc_lib,init_p,5}]}
As you can see, the problem is probably that tls_drv.so is not readable.
I think we already tried all the possibilities, and that you are doing the things correctly. So the problem may be a bug in the installer, or an incompatibility with your operating system or system libraries.
I've reported this issue in the bug tracher: . Once the problem is inspected, maybe there is a new solution that you should try to verify if it solves the problem.