server

Description

Tigase XMPP Server, versions prior to 5.1.1, are vulnerable to certain DOS attacks on the XMPP stream. Sending specially prepared XML data to the XMPP stream of the Tigase server can cause out of memory error, system overload and eventually the service failure.

Sensitivity

All types of XMPP connections are sensitive to this bug: c2s, s2s and external component connection. The TCP/IP connection does not have to be authenticated to successfully perform the attack.

Solution

A fix for the problem is already in our SVN repository and covers changes in both the Tigase XMPP Server code (tagged as tigase-server-5.1.1) and Tigase XML Tools code (tagged as tigase-xmltools-3.4.2).

Binary packages have been released and published under version number 5.1.2 which also includes some Bosh improvements for multiple HTTP connections with Web client and compatibility with Strophe library.

I have just discovered an interesting article about Tigase deployment on quite large scale system and I thought I might be worth to share.
Actually, I was sent a link for this article from somebody who is interested in using Tigase as well.

As I did not know about the article I read it with an interest as it presents quite new approach to scale the XMPP system. It is definitely worth reading.

The article link: Zoosk - The Engineering Behind Real Time Communications.

By default user passwords are stored in plain-text in the Tigase's database. However, there is an easy way to have them encoded in either one of already supported ways or to even add a new encoding algorithm on your own. The reason to store passwords in plain-text format in the database is to make it possible to avoid plain-text password authentication mechanism. At the moment you cannot have hashed passwords in the database and non-plain-text password authentication. On the other hand, the connection between the server and the client is almost always secured by SSL/TLS so maybe the plain-text password authentication method is less of a problem than storing plain-text passwords in the database. Nevertheless, it is simple enough to adjust this in Tigase's database and we will add an option in the Tigase installer to allow you to make the decision at installation time.

Splitting user authentication data from all other XMPP information such as roster, vcards, etc... was almost always possible in Tigase XMPP Server. Possible and quite simple thing to configure. Also it has been always possible and easy to assign a different database for each Tigase component (MUC, PubSub, AMP), for recording the server statistics. Almost every data type or component can store information in a different location, simple and easy to setup through the configuration file.

However it is much less known that it is also possible to have a different database for each virtual domain. This applies to both the user repository and authentication repository. This allows for very interesting configuration such as user database sharding where each shard keeps users for a specific domain, or physically split data based on virtual domain if each domain refers to a different customer or group of people.

How can we do that then?