Monthly Archives: June 2007

Literal XML in Erlang with parse_transform/2

One of the things I dislike about Erlang is that it severely impairs bragging opportunities. Yesterday I wrote a module that allows writing literal XML in the source and have it parsed into Erlang structures at compile time—sort of like E4X minus the manipulation goodies at runtime (at least for now).

You write:


Doc = '<greeting>Hello!</greeting>',
io:format("~p~n", [Doc]).

And it prints…


{xmlElement,greeting,
            greeting,
            [],
            {xmlNamespace,[],[]},
            [],
            1,
            [],
            [{xmlText,[{greeting,1}],1,[],"Hello!",text}],
            [],
            "/tmp",
            undeclared}

In most languages I’m familiar with, this would have granted the author instant Yacc-demigod status. With Erlang… it was less than 40 LOC. Hardly something you’d wear at a party.

Anyway, this code owes everything to Philip’s writings. It also uses parse_transform/2, and “programmers are strongly advised not to engage in parse transformations and no support is offered for problems encountered”. So unless you, like me, are still at the kid-in-a-candy-shop stage of Erlang experience, think twice before using this in production, ok?

The code is here.

Installing the StartCom SSL certificate in ejabberd

The XMPP Software Foundation established an intermediate certification authority with StartCom. If you run a public federated XMPP server, in order to provide secure communication, you no longer need to buy an SSL certificate (or resort to a self-signed certificate): simply register an account at http://www.xmpp.net and follow the certificate request process.

At least up to ejabberd 1.1.2 1.1.4, however, there is an extra step which involves patching a file and recompiling. (Update: the patching step is no longer required in ejabberd 2.0.0.)

Here is the complete procedure I followed.

After the certificate request process, you should have these files:

Decode ssl.key. openssl will ask you for a password, provide the one you gave during the certificate request process:


$ openssl rsa -in ssl.key -out ssl.key

Concatenate your server’s certificate plus key and the intermediate certificate into a single file:


cat ssl.crt ssl.key sub.class1.xmpp.ca.crt >ejabberd.pem


Place the resulting file where the ejabberd server is able to access it.

On Debian:


chown ejabberd.ejabberd ejabberd.pem
chmod 400 ejabberd.pem
mv ejabberd.pem /etc/ejabberd

Configure ejabberd.cfg:


% Ordinary client-2-server service
 [{5222, ejabberd_c2s,     [{access, c2s},
                            {max_stanza_size, 65536},
                            starttls, {certfile, "/etc/ejabberd/ejabberd.pem"},
                            {shaper, c2s_shaper}]},

% SSL-enabled client-2-server service
  {5223, ejabberd_c2s,     [{access, c2s},
                            {max_stanza_size, 65536},
                            tls, {certfile, "/etc/ejabberd/ejabberd.pem"},
                            {shaper, c2s_shaper}]},

% [...]

% Use STARTTLS+Dialback for S2S connections
{s2s_use_starttls, true}.
{s2s_certfile, "/etc/ejabberd/ejabberd.pem"}.

Restart the server.

At this point, the certificate is installed but ejabberd is not presenting it correctly. If you run the following:


openssl s_client -connect your.server.org:5223 -CAfile /path/to/ca.crt

You will get an incomplete certificate chain:


[...]
verify error:num=21:unable to verify the first certificate
verify return:1
CONNECTED(00000003)
---
Certificate chain
 0 s:/C=US/ST=Your State/L=Your Location/O=Your Name/OU=Domain validated only/CN=your@server.org/emailAddress=hostmaster@server.org
   i:/C=US/ST=Colorado/O=Jabber Software Foundation/OU=Secure Certificate Signing/CN=StartCom Class 1 Intermediate CA - Jabber Software Foundation/emailAddress=certmaster@jabber.org
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]

To fix it, you have to apply a small patch. Start by downloading ejabberd source.

On Debian:


apt-get source ejabberd

Now you could grab the patch from the ejabberd bug tracker and use the “patch” tool to apply it, however as of ejabberd 1.1.2 line numbers have shifted and it won’t apply cleanly. Since it’s a one-liner, just open the file src/tls/tls_drv.c and locate the following line:


res = SSL_CTX_use_certificate_file(d->ctx, buf, SSL_FILETYPE_PEM);

Replace it with the following:


res = SSL_CTX_use_certificate_chain_file(d->ctx, buf);

To compile it, either go to the src/ directory and type:


make

Or, on Debian, generate a new package:


fakeroot dpkg-buildpackage -uc -nc

Reinstall, and you’re done.

To verify that it’s working, run again:


$ openssl s_client -connect sameplace.cc:5223 -CAfile /path/to/ca.crt

This time you should get:


[...]
verify return:1
CONNECTED(00000003)
---
Certificate chain
 0 s:/C=US/ST=Your State/L=Your Location/O=Your Name/OU=Domain validated only/CN=your@server.org/emailAddress=hostmaster@server.org
   i:/C=US/ST=Colorado/O=Jabber Software Foundation/OU=Secure Certificate Signing/CN=StartCom Class 1 Intermediate CA - Jabber Software Foundation/emailAddress=certmaster@jabber.org
 1 s:/C=US/ST=Colorado/O=Jabber Software Foundation/OU=Secure Certificate Signing/CN=StartCom Class 1 Intermediate CA - Jabber Software Foundation/emailAddress=certmaster@jabber.org
   i:/C=IL/ST=Israel/L=Eilat/O=StartCom Ltd./OU=CA Authority Dep./CN=Free SSL Certification Authority/emailAddress=admin@startcom.org
---
Server certificate
-----BEGIN CERTIFICATE-----
[...]

Which is a complete certificate chain and openssl is able to verify it against the root certificate.

An xmpp4moz notebook

I like documentation that looks like a laboratory notebook—not a linear and sure path from problem to solution, but a record of the paths tried, including the bad ones, reasons why they were bad, intuitions that led toward the solution, and ideas about where to go next.

So I was pleased to stumble on the blog about the development of TrueTalk. I’m still not sure about what TrueTalk is, but it is based on xmpp4moz and the authors frequently report about the challenges they meet and how they face them.

If you’re considering writing something on xmpp4moz and want to get an insider’s perspective, have a look at this blog.