[sslh] SSLH for XMPP related services

moparisthebest admin at moparisthebest.com
Thu Nov 2 20:34:23 UTC 2017 

Hi,

I'll reply in-line here.

On 11/02/2017 02:16 PM, Nk wrote:
> 1] I’m doing all of my config in /etc/default/sslh, is it possible to
> add the required config there without the need for a separate file?

Nope you'll definitively need the separate config file, you cannot
specify alpn or sni matches on the command line.

> 2] I see that ejabberd will implement 0368 in v17.09 [the repo I use
> still provides v17.08], but I can’t find any documentation on how to
> enable it on v17.09 anyway.

If I understood the ejabberd dev I asked correctly, it doesn't actually
support it in the way you need.

> 3] Does this mean that basically ejabberd will listen on 5223 and
> clients like conversations [if configured to use 5223 without SSLH]
> would automatically know to use such port for all connections, even, for
> instance, HTTP upload [that currently uses port 5444]? If so how does
> conversations know to route all traffic on 5223?

You can do this (have xmpp clients go directly to 5223) but that doesn't
bypass firewalls that block all but 443.  You'll want SSLH to forward
connections to 443 with the xmpp alpn protocol and/or sni correct.  For
HTTP upload (that is inside ejabberd?) you'll be multi-plexing on
hostname (upload.example.org might go there for instance).  In this way
all traffic can go over the same port 443.

> 4] If point 3 is true and SSLH comes into play, how does SSLH
> distinguish between SSL traffic destined for ejabberd and that destined
> for nginx? And how does conversations know that behind port 443 actually
> then sends traffic to an "all-inclusive" port like 5223?

SSLH distinguishes different HTTPS hosts based on SNI.  Conversations
knows port 443 is a xep-368 port via SRV records.  It knows
upload.example.org (for example) is your http upload server because it's
configured that way.

> 5] How do I set the default behaviour between ejabberd and nginx HTTPS
> traffic?

That's your default or timeout config, you'll have to pick one to
default to, probably nginx is correct here.

> Thanks so much!
> 
> 
> 
> Nk

No problem, let me know if you have other questions.

Thanks,
moparisthebest

> On 2 Nov 2017, 17:46 +0100, moparisthebest <admin at moparisthebest.com>,
> wrote:
>> Hi,
>>
>> Interesting project. sslh 1.18+ already has everything you need for this
>> built-in, you can get a fairly good idea from here:
>>
>> https://wiki.debian.org/InstallingProsody#XMPP_over_HTTPS
>>
>> Basically multiplex xep-368 TLS to XMPP TLS port with ALPN, you can
>> multiplex startls xmpp with the built-in xmpp probe, you can multiplex
>> https with 'alpn_protocols: [ "h2", "http/1.1" ];' and/or SNI, and pick
>> a default (I default to https, you could default to xmpps).
>>
>> Thanks,
>> moparisthebest
>>
>> On 11/02/2017 12:12 PM, Nk wrote:
>>> Hi all
>>>
>>> First off thanks so much for this amazing piece of software.
>>>
>>> I’m currently using the XMPP function for an XMPP server automation
>>> project called aenigma [https://github.com/openspace42/aenigma].
>>>
>>> I know anything can be probed using a regex, but I’d like to know if
>>> anyone has already had experience with feeding XMPP HTTP uploads and
>>> other services running on ports other than 5222 to SSLH.
>>>
>>> Either way, do I need to recompile it to add a probe?
>>>
>>> What’s the best way to do this?
>>>
>>> And lastly, is there a way to automatically select “standalone” during
>>> installation in a non-interactive fashion?
>>>
>>> Thanks so much!
>>>
>>>
>>> Nk
>>>
>>>
>>>
>>> _______________________________________________
>>> sslh mailing list
>>> sslh at rutschle.net
>>> http://rutschle.net/cgi-bin/mailman/listinfo/sslh
>>>
>>
>> _______________________________________________
>> sslh mailing list
>> sslh at rutschle.net
>> http://rutschle.net/cgi-bin/mailman/listinfo/sslh

More information about the sslh mailing list