[erlang-questions] Adding StartTLS support to Ejabberd?

Rory Byrne <>
Mon Aug 6 19:12:20 CEST 2012


On Mon, Aug 06, 2012 at 05:14:48PM +0100, Gavin Henry wrote:
> Hi Rory (sorry for top posting. My mail client sucks),
 
Ha, it's been so long since I replied to anything on a list that 
I'd forgot the rules!

I've changed the subject of this email in the hope that someone
from the ejabberd community might offer some advice.

> That's what I thought. I'm not sure why though or whether it can be
> pulled out again.
 
Well, it looks like the current release of ejabberd is supported 
running on Erlang/OTP versions from R10B9 to R15B, and eldap was
only added to the R15B01 release. Also, it looks like the 3.0.0 
alpha and beta versions of ejabberd are being supported on 
Erlang/OTP R12B5 and above, so they won't be dropping their own 
eldap implementation any time soon.

However, they might accept a patch that uses the OTP version of 
eldap when it's available. Ultimately it would be more beneficial
for everyone if the STARTTLS and SASL functionality were added to
the OTP version. Certainly if I was writing a patch, I'd much 
rather it was for the OTP version.

There might be another problem with adding this functionality to
the ejabberd eldap. I'm not 100% sure about this, but I think 
that the ssl application that was used in Erlang before R14B (the
old default ssl application), did not have the ability to start 
running SSL over an already established TCP connection. I think 
this was actually one of the main reasons for the big rewrite of 
the ssl application in recent years. Basically what this means is 
that it will not be possible (or just wise) to use STARTTLS when 
using versions of Erlang/OTP before R14B. Any patch to the ejabberd 
eldap would need to offer this functionality only when a suitable 
version of Erlang was running. 

However, the main downside to patching the OTP version - assuming 
it even gets accepted - is that you will only have the STARTTLS 
functionality if you are running ejabberd on top of some future 
version of Erlang (or a patched R15B01+ version). Would this suit
you?

> In our situation we're not using cliebt certificate based TLS with
> SASL EXTERNAL. But it should be added at the same time rather than an
> incomplete patch.

Yeah, I reckon it's worth having.



More information about the erlang-questions mailing list