Package org.jivesoftware.openfire.server

Class ServerDialback

  • public class ServerDialback
extends Object
    Implementation of the Server Dialback method as defined by the RFC3920. The dialback method follows the following logic to validate the remote server:
    1. The Originating Server establishes a connection to the Receiving Server.
    2. The Originating Server sends a 'key' value over the connection to the Receiving Server.
    3. The Receiving Server establishes a connection to the Authoritative Server.
    4. The Receiving Server sends the same 'key' value to the Authoritative Server.
    5. The Authoritative Server replies that key is valid or invalid.
    6. The Receiving Server informs the Originating Server whether it is authenticated or not.
    By default a timeout of 20 seconds will be used for reading packets from remote servers. Use the property xmpp.server.read.timeout to change that value. The value should be in milliseconds.
    Author:
    Gaston Dombiak

    • Field Detail

      • CHARSET

        protected static String CHARSET
        The utf-8 charset for decoding and encoding Jabber packet streams.

    • Constructor Detail

      • ServerDialback

        public ServerDialback​(Connection connection,
                      DomainPair domainPair)
        Creates a new instance that will be used for creating IncomingServerSession, validating subsequent domains or authenticating new domains. Use createIncomingSession(org.dom4j.io.XMPPPacketReader) for creating a new server session used for receiving packets from the remote server. Use validateRemoteDomain(org.dom4j.Element, org.jivesoftware.openfire.StreamID) for validating subsequent domains and use authenticateDomain(OutgoingServerSocketReader, String) for registering new domains that are allowed to send packets to the remote server.

        For validating domains a new TCP connection will be established to the Authoritative Server. The Authoritative Server may be the same Originating Server or some other machine in the Originating Server's network. Once the remote domain gets validated the Originating Server will be allowed for sending packets to this server. However, this server will need to validate its domain/s with the Originating Server if this server needs to send packets to the Originating Server. Another TCP connection will be established for validation this server domain/s and for sending packets to the Originating Server.

        Parameters:
        connection - the connection created by the remote server.
        domainPair - the local and remote domain for which authentication is to be established.

      • ServerDialback

        public ServerDialback​(DomainPair domainPair)

    • Method Detail

      • isEnabled

        public static boolean isEnabled()
        Returns true if server dialback is enabled. When enabled remote servers may connect to this server using the server dialback method and this server may try the server dialback method to connect to remote servers.

        When TLS is enabled between servers and server dialback method is enabled then TLS is going to be tried first, when connecting to a remote server, and if TLS fails then server dialback is going to be used as a last resort. If enabled and the remote server offered server-dialback after TLS and no SASL EXTERNAL then server dialback will be used.

        Returns:
        true if server dialback is enabled.

      • isEnabledForSelfSigned

        public static boolean isEnabledForSelfSigned()
        Returns true if server dialback can be used when the remote server presented a self-signed certificate. During TLS the remote server can present a self-signed certificate, if this setting is enabled then the self-signed certificate will be accepted and if SASL EXTERNAL is not offered then server dialback will be used for verifying the remote server.

        If self-signed certificates are accepted then server dialback over TLS is enabled.

        Returns:
        true if server dialback can be used when the remote server presented a self-signed certificate.

      • setEnabledForSelfSigned

        public static void setEnabledForSelfSigned​(boolean enabled)
        Sets if server dialback can be used when the remote server presented a self-signed certificate. During TLS the remote server can present a self-signed certificate, if this setting is enabled then the self-signed certificate will be accepted and if SASL EXTERNAL is not offered then server dialback will be used for verifying the remote server.

        If self-signed certificates are accepted then server dialback over TLS is enabled.

        Parameters:
        enabled - if server dialback can be used when the remote server presented a self-signed certificate.

      • createOutgoingSession

        public LocalOutgoingServerSession createOutgoingSession​(int port)
        Creates a new connection for the domain pair, where the local domain acts as the Originating Server and the remote domain as the Receiving Server.
        Parameters:
        port - port of the Receiving Server.
        Returns:
        an OutgoingServerSession if the domain was authenticated or null if none.

      • createAndSendDialbackKey

        public void createAndSendDialbackKey​(String id)
        Create a dialback key and send to receiving server
        Parameters:
        id - the stream id to be used for creating the dialback key.

      • authenticateDomain

        public boolean authenticateDomain​(OutgoingServerSocketReader socketReader,
                                  String id)
        Authenticates the Originating Server domain with the Receiving Server. Once the domain has been authenticated the Receiving Server will start accepting packets from the Originating Server.

        The Receiving Server will connect to the Authoritative Server to verify the dialback key. Most probably the Originating Server machine will be the Authoritative Server too.

        Parameters:
        socketReader - the reader to use for reading the answer from the Receiving Server.
        id - the stream id to be used for creating the dialback key.
        Returns:
        true if the Receiving Server authenticated the domain with the Authoritative Server.

      • createIncomingSession

        public LocalIncomingServerSession createIncomingSession​(XMPPPacketReader reader)
                                                 throws IOException,
                                                        org.xmlpull.v1.XmlPullParserException
        Returns a new IncomingServerSession with a domain validated by the Authoritative Server. New domains may be added to the returned IncomingServerSession after they have been validated. See LocalIncomingServerSession.validateSubsequentDomain(org.dom4j.Element). The remote server will be able to send packets through this session whose domains were previously validated.

        When acting as an Authoritative Server this method will verify the requested key and will return null since the underlying TCP connection will be closed after sending the response to the Receiving Server.

        Parameters:
        reader - reader of DOM documents on the connection to the remote server.
        Returns:
        an IncomingServerSession that was previously validated against the remote server.
        Throws:
        IOException - if an I/O error occurs while communicating with the remote server.
        org.xmlpull.v1.XmlPullParserException - if an error occurs while parsing XML packets.

      • dialbackError

        protected void dialbackError​(String from,
                             String to,
                             org.xmpp.packet.PacketError err)
        Send a dialback error.
        Parameters:
        from - From
        to - To
        err - Error type.

      • validateRemoteDomain

        public void validateRemoteDomain​(org.dom4j.Element doc,
                                 StreamID streamID)
                          throws StreamErrorException,
                                 ServerDialbackErrorException,
                                 ServerDialbackKeyInvalidException
        Returns true if the domain requested by the remote server was validated by the Authoritative Server. To validate the domain a new TCP connection will be established to the Authoritative Server. The Authoritative Server may be the same Originating Server or some other machine in the Originating Server's network.

        If the domain was not valid or some error occurred while validating the domain then the underlying TCP connection may be closed.

        Parameters:
        doc - the request for validating the new domain.
        streamID - the stream id generated by this server for the Originating Server.
        Throws:
        StreamErrorException - when validation did not succeed.
        ServerDialbackErrorException
        ServerDialbackKeyInvalidException

      • verifyReceivedKey

        public static boolean verifyReceivedKey​(org.dom4j.Element doc,
                                        Connection connection)
        Verifies the key sent by a Receiving Server. This server will be acting as the Authoritative Server when executing this method. The remote server may have established a new connection to the Authoritative Server (i.e. this server) for verifying the key or it may be reusing an existing incoming connection.
        Parameters:
        doc - the Element that contains the key to verify.
        connection - the connection to use for sending the verification result
        Returns:
        true if the key was verified.