SSL

I have ejabberd up and running fine, but I am not sure I have the SSL part working correctly...

I have OpenSSL installed, and created a self signed certificate...

I have set the .cfg file as follows:

**************************************************************
% Listened ports:
{listen,
[
% {5222, ejabberd_c2s, [{access, c2s},
% {shaper, c2s_shaper}]},

% To create selfsigned certificate run the following command from the
% command prompt:
%
% openssl req -new -x509 -days 365 -nodes -out ejabberd.pem -keyout ejabberd.pem
%
% and answer the questions.
% {5222, ejabberd_c2s, [{access, c2s},
% starttls, {certfile, "./ejabberd.pem"},
% {shaper, c2s_shaper}]},

% When using SSL/TLS ssl option is not recommended (it requires patching
% erlang ssl application). Use tls option instead (as shown below).
{5223, ejabberd_c2s, [{access, c2s},
tls, {certfile, "./ejabberd.pem"},
{shaper, c2s_shaper}]},

{5269, ejabberd_s2s_in, [{shaper, s2s_shaper}]},

% {5555, ejabberd_service, [{access, all},
% {host, "icq.localhost", [{password, "secret"}]}]},

{5280, ejabberd_http, [http_poll, web_admin]}
]}.

% If SRV lookup fails, then port 5269 is used to communicate with remote server
{outgoing_s2s_port, 5269}.
**************************************************************

I have the client setup to use SSL and port 5223, but when I logon to the server, it still passes my username and password in plain text to the server... I can see them in the log...

Thanks for youe help with this!

-Bill

I got a similar problem

Well, hello folk.

I've got a server running here in my company. It's doing well and I have the SSL transfer working fine. It means that when I log in I see the padlock closed. Secure conection.

But I still have to log in using the *horrible* 'plaintext login' method.

If I have something useful for you just ask. And, if you learn how to do the 'secure' login, please, tell me.

Bye!

You can see the username and

You can see the username and password on the server logs because the server needs to know the username and password, right?

The important part is that only the client and the server can see the password.

It is a debug option

Someone told me in another thread (don't remember what is. I think it is the one I started) that this is a debug option that was forgot on the code of ejabberd.

It is something like a ( printf("\n(AUTH:%s:%s)\n",$user,$password); ).

It just appear at the server log window when start without -detached option.

As I have understood the password is sent over the network in an encrypted form and the server at the hash time decrypt it. So, I think the problem is solved.

The only thing is to comment this debug line on next version of ejabberd.

That is it.

Checking for encrypted login

When testing a SSL connection you can use tcpdump or ethereal between the client and the ejabberd server. Without SSL you can see the password on the wire. With SSL enabled this disappears. Its the simplest means of giving you the warm and fuzzy feeling that SSL is working :)

totem

Syndicate content