[erlang-questions] Adding StartTLS support to Ejabberd?
Mon Aug 6 19:12:20 CEST 2012
On Mon, Aug 06, 2012 at 05:14:48PM +0100, Gavin Henry wrote:
> Hi Rory (sorry for top posting. My mail client sucks),
Ha, it's been so long since I replied to anything on a list that
I'd forgot the rules!
I've changed the subject of this email in the hope that someone
from the ejabberd community might offer some advice.
> That's what I thought. I'm not sure why though or whether it can be
> pulled out again.
Well, it looks like the current release of ejabberd is supported
running on Erlang/OTP versions from R10B9 to R15B, and eldap was
only added to the R15B01 release. Also, it looks like the 3.0.0
alpha and beta versions of ejabberd are being supported on
Erlang/OTP R12B5 and above, so they won't be dropping their own
eldap implementation any time soon.
However, they might accept a patch that uses the OTP version of
eldap when it's available. Ultimately it would be more beneficial
for everyone if the STARTTLS and SASL functionality were added to
the OTP version. Certainly if I was writing a patch, I'd much
rather it was for the OTP version.
There might be another problem with adding this functionality to
the ejabberd eldap. I'm not 100% sure about this, but I think
that the ssl application that was used in Erlang before R14B (the
old default ssl application), did not have the ability to start
running SSL over an already established TCP connection. I think
this was actually one of the main reasons for the big rewrite of
the ssl application in recent years. Basically what this means is
that it will not be possible (or just wise) to use STARTTLS when
using versions of Erlang/OTP before R14B. Any patch to the ejabberd
eldap would need to offer this functionality only when a suitable
version of Erlang was running.
However, the main downside to patching the OTP version - assuming
it even gets accepted - is that you will only have the STARTTLS
functionality if you are running ejabberd on top of some future
version of Erlang (or a patched R15B01+ version). Would this suit
> In our situation we're not using cliebt certificate based TLS with
> SASL EXTERNAL. But it should be added at the same time rather than an
> incomplete patch.
Yeah, I reckon it's worth having.
More information about the erlang-questions