don't listen on port 5223

5 replies [Last post]
Sat, 2010-05-01 08:20
Justin Karneges
Offline
Joined: 2010-01-23
Points: 212

tigase listens on port 5223, even though it appears to not provide any service on the port. tcp connections are accepted but then closed immediately.

i'm concerned this may cause problems with clients that probe against port 5223. i'd prefer a normal connection refused rather than this weird accept + close.

Top
Sat, 2010-05-01 09:48
#1
kobit's picture
Artur Hefczyc
Offline
Joined: 2006-09-03
Points: 267814

Port 5223 is used for SSL connection. Behaviour you describe might be related to SSL certificate misconfiguration. The connection is opened, then the server tries to activate SSL, this fails and the connection is closed.
Please check Tigase logs to confirm that.

Top
Sat, 2010-05-01 18:01
#2
Justin Karneges
Offline
Joined: 2010-01-23
Points: 212

-----
2010-05-01 16:53:58 PEMSSLContextContainer.loadFromPEMFile() INFO: Reading private key & certificate chain; alias: 'default', password: ''
2010-05-01 16:53:58 PEMSSLContextContainer.getSSLContext() SEVERE: Error on creating SSLContext for host defaultjava.security.KeyStoreException: Cannot store non-PrivateKeys
-----

SSL is working using starttls and port 5222. I have a valid cert for our domain using the correct file format in the certs dir. Based on the above log, I have copied our "domain.com.pem" file to "default.pem", and now port 5223 works correctly and accepts logins. Thanks for the hint.

However, I should have been more clear in my original post. I would like to have port 5223 disabled, since it is legacy and I don't want to encourage it. Is there a way to disable it in tigase?

Top
Sat, 2010-05-01 18:50
#3
kobit's picture
Artur Hefczyc
Offline
Joined: 2006-09-03
Points: 267814

Have a look at the guide for the init.properties file and search for '--cmpname-ports' property description.
This should allow you to specify what exact ports should be used by selected component.

Top
Sat, 2010-05-01 19:58
#4
Justin Karneges
Offline
Joined: 2010-01-23
Points: 212

two questions:

1) is this a list of ports that all do the same thing (based on component type)? or will the component do different things based on known port values? for example, if I specify "--c2s-ports=5220,5221,5222,5223,5224", is port 5223 recognized and handled specially by the c2s component as the legacy ssl service? or would the c2s component just run the standard xmpp-client service on all specified ports, and there is actually a different component that services the legacy ssl service?

2) what is the name of the component that handles legacy ssl connections?

Top
Sat, 2010-05-01 21:29
#5
kobit's picture
Artur Hefczyc
Offline
Joined: 2006-09-03
Points: 267814

ad. 1. If you use this property for any component then, it means automatically the component does not use SSL ports at all. All port numbers refer to standard xmpp service (plain or TLS - not SSL) only. So this effectively disables legacy SSL support for this component.
ad. 2. Legacy c2s connections are handled by c2s component, legacy s2s connections are handled by s2s component, etc...

Top

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Post new comment

The content of this field is kept private and will not be shown publicly.