Difference between revisions of "Tech pages/XEP-0368"
Jump to navigation
Jump to search
| Line 20: | Line 20: | ||
# in this example: | # in this example: | ||
# 5223 is a | # 5223 is a "direct-tls" xmpp port (prosody legacy_ssl_ports, ejabberd listen with tls: true) | ||
# 442 is a | # 442 is a https port (nginx, apache, etc) | ||
# 22 is an ssh port | # 22 is an ssh port (openssh) | ||
# 5222 is a prosody c2s_ports | # 5222 is a regular/plain/starttls xmpp port (prosody c2s_ports, ejabberd listen with starttls: true) | ||
# 994 is dovecot | # 994 is "direct-tls" imap port, imaps (dovecot etc) | ||
protocols: | protocols: | ||
( | ( | ||
{ name: "tls"; host: "127.0.0.1"; port: "442"; alpn_protocols: [ "h2", "http/1.1" ]; }, # https | { name: "tls"; host: "127.0.0.1"; port: "442"; alpn_protocols: [ "h2", "http/1.1" ]; }, # https most common case | ||
{ name: "tls"; host: "127.0.0.1"; port: "5223"; alpn_protocols: [ "xmpp-client" ]; }, # check for XEP-0368 xmpp tls (this needs to be above SNI check below because XEP-0368 would send example.org in SNI) | { name: "tls"; host: "127.0.0.1"; port: "5223"; alpn_protocols: [ "xmpp-client" ]; }, # check for XEP-0368 xmpp tls (this needs to be above SNI check below because XEP-0368 would send example.org in SNI) | ||
{ name: "tls"; host: "127.0.0.1"; port: "442"; sni_hostnames: [ "www.example.org", "example.org" ]; }, # specific hostnames go to | { name: "tls"; host: "127.0.0.1"; port: "442"; sni_hostnames: [ "www.example.org", "example.org" ]; }, # specific hostnames go to https | ||
{ name: "tls"; host: "127.0.0.1"; port: "994"; sni_hostnames: [ "imap.example.org" ]; }, # other hostnames go to | { name: "tls"; host: "127.0.0.1"; port: "994"; sni_hostnames: [ "imap.example.org" ]; }, # other hostnames go to imaps | ||
{ name: "tls"; host: "127.0.0.1"; port: "442"; }, # anything else TLS assume for | { name: "tls"; host: "127.0.0.1"; port: "442"; }, # anything else TLS assume for https | ||
{ name: "ssh"; host: "127.0.0.1"; port: "22"; }, # ssh goes to | { name: "ssh"; host: "127.0.0.1"; port: "22"; }, # ssh goes to ssh | ||
{ name: "xmpp"; host: "127.0.0.1"; port: "5222"; }, # xmpp goes to | { name: "xmpp"; host: "127.0.0.1"; port: "5222"; }, # xmpp goes to regular xmpp port | ||
{ name: "timeout"; host: "127.0.0.1"; port: "442"; } # send everything unknown to | { name: "timeout"; host: "127.0.0.1"; port: "442"; } # send everything unknown to https | ||
); | ); | ||
on-timeout: "timeout"; # if timeout elapses (2 seconds here) go to | on-timeout: "timeout"; # if timeout elapses (2 seconds here) go to https | ||
</nowiki> | </nowiki> | ||
Revision as of 22:13, 8 January 2018
Here is a sample sslh.conf (Using at least sslh 1.18) to support XEP-0368 among other things:
verbose: false;
foreground: true;
inetd: false;
numeric: true;
transparent: false;
timeout: "2";
user: "nobody";
pidfile: "/run/sslh.pid";
# Note: I had to use IPs everywhere and not hostnames
# List of interfaces on which we should listen
listen:
(
{ host: "0.0.0.0"; port: "443"; },
);
# in this example:
# 5223 is a "direct-tls" xmpp port (prosody legacy_ssl_ports, ejabberd listen with tls: true)
# 442 is a https port (nginx, apache, etc)
# 22 is an ssh port (openssh)
# 5222 is a regular/plain/starttls xmpp port (prosody c2s_ports, ejabberd listen with starttls: true)
# 994 is "direct-tls" imap port, imaps (dovecot etc)
protocols:
(
{ name: "tls"; host: "127.0.0.1"; port: "442"; alpn_protocols: [ "h2", "http/1.1" ]; }, # https most common case
{ name: "tls"; host: "127.0.0.1"; port: "5223"; alpn_protocols: [ "xmpp-client" ]; }, # check for XEP-0368 xmpp tls (this needs to be above SNI check below because XEP-0368 would send example.org in SNI)
{ name: "tls"; host: "127.0.0.1"; port: "442"; sni_hostnames: [ "www.example.org", "example.org" ]; }, # specific hostnames go to https
{ name: "tls"; host: "127.0.0.1"; port: "994"; sni_hostnames: [ "imap.example.org" ]; }, # other hostnames go to imaps
{ name: "tls"; host: "127.0.0.1"; port: "442"; }, # anything else TLS assume for https
{ name: "ssh"; host: "127.0.0.1"; port: "22"; }, # ssh goes to ssh
{ name: "xmpp"; host: "127.0.0.1"; port: "5222"; }, # xmpp goes to regular xmpp port
{ name: "timeout"; host: "127.0.0.1"; port: "442"; } # send everything unknown to https
);
on-timeout: "timeout"; # if timeout elapses (2 seconds here) go to https
Another (incorrectly named) example can be found at the Debian Wiki
You then need to setup your SRV Records so clients can find it, personally I have mine set up like so (for a JID like me@example.org):
_xmpps-client._tcp.example.org. 86400 IN SRV 5 0 443 xmpp.example.org. _xmpp-client._tcp.example.org. 86400 IN SRV 10 0 443 xmpp.example.org. _xmpp-client._tcp.example.org. 86400 IN SRV 15 0 5222 xmpp.example.org.
This prioritizes XEP-0368 TLS over port 443 first, then plain XMPP over 443 next, and lastly plain XMPP over 5222. A client that doesn't support XEP-0368 just skips the first record.
Please note the target can be anything, example.org, xmpp.example.org, or some.unrelated.domain.net, just as long as it's listening on those ports and has a valid certificate for example.org in this case.
If you have any questions feel free to ask the author of XEP-0368 via email, XMPP, or the nick moparisthebest in the XSF MUC