Project

General

Profile

Compression error

Natale Vinto
Added over 4 years ago

Hi,

I'm using Zlib compression, enabled in the Tigase server 5.3.0 and in clients using Smack 3.4 library, and I'm figuring out a strange behaviour: if I enable a virtualhost "sub.domain.com" with domain-filter-policy = OWN

I got error 403 You can only communicate within your own domain.

It looks like Smack is following the suggested c2s stream negotiation order recommendations about stream compression

but if I restrict tigase inter-domain communication with OWN, I have this error:

2014-05-27 10:39:52.595 [in_1-sess-man]    SessionManager.walk()              FINEST:   XMPPProcessorIfc: StartZLib (zlib)Request: from=c2s@localhost/172.31.30.109_5222_10.0.0.181_55444, to=sess-man@localhost, DATA=<compress from="kingrichard@sub.domain.com/Smack" xmlns="http://jabber.org/protocol/compress"><method>zlib</method></compress>, SIZE=134, XMLNS=http://jabber.org/protocol/compress, PRIORITY=NORMAL, PERMISSION=NONE, TYPE=null, conn: user_jid=kingrichard@sub.domain.com/Smack, packets=5, connectioId=c2s@localhost/172.31.30.109_5222_10.0.0.181_55444, domain=sub.domain.com, authState=AUTHORIZED, isAnon=false, isTmp=false
2014-05-27 10:39:52.597 [in_1-message-router]  MessageRouter.processPacket()  FINEST:   Processing packet: from=c2s@localhost/172.31.30.109_5222_10.0.0.181_55444, to=sess-man@localhost, DATA=<iq type="error" from="c2s@localhost/172.31.30.109_5222_10.0.0.181_55444" to="sess-man@localhost" id="tig4"><command xmlns="http://jabber.org/protocol/commands" node="STARTZLIB"><x xmlns="jabber:x:data" type="submit"/><compressed xmlns="http://jabber.org/protocol/compress"/></command><error code="403" type="auth"><forbidden xmlns="urn:ietf:params:xml:ns:xmpp-stanzas"/><text xmlns="urn:ietf:params:xml:ns:xmpp-stanzas" xml:lang="en">You can only communicate within your own domain.</text></error></iq>, SIZE=506, XMLNS=null, PRIORITY=NORMAL, PERMISSION=NONE, TYPE=error

This not cames with any other client as Psi or XMPPFramework library, for instance Psi request compression before SASL mechanism, which is not recommended by the XEP-0170

Psi:

<compress xmlns="http://jabber.org/protocol/compress"><method>zlib</method></compress>


<compressed xmlns="http://jabber.org/protocol/compress"/>

..other data..

<auth xmlns="urn:ietf:params:xml:ns:xmpp-sasl" mechanism="PLAIN">FooFooFoo</auth>


<success xmlns="urn:ietf:params:xml:ns:xmpp-sasl"/>

Smack:

D/SMACK   (29034): 01:11:04 PM SENT (1106185368): <stream:stream to="sub.domain.com" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" version="1.0">
D/SMACK   (29034): 01:11:04 PM RCV  (1106185368): <?xml version='1.0'?><stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' from='sub.domain.com' id='a2745bd7-6105-482e-8320-e2f211401124' version='1.0' xml:lang='en'>
D/SMACK   (29034): 01:11:04 PM RCV  (1106185368): <stream:features><sm xmlns="urn:xmpp:sm:3"/><ver xmlns="urn:xmpp:features:rosterver"/><starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>PLAIN</mechanism></mechanisms><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression><auth xmlns="http://jabber.org/features/iq-auth"/></stream:features>
D/SMACK   (29034): 01:11:04 PM SENT (1106185368): <starttls xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
D/SMACK   (29034): 01:11:04 PM RCV  (1106185368): <proceed xmlns="urn:ietf:params:xml:ns:xmpp-tls"/>
D/SMACK   (29034): 01:11:04 PM SENT (1106185368): <stream:stream to="sub.domain.com" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" version="1.0">
D/SMACK   (29034): 01:11:04 PM RCV  (1106185368): <?xml version='1.0'?><stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' from='sub.domain.com' id='a2745bd7-6105-482e-8320-e2f211401124' version='1.0' xml:lang='en'>
D/SMACK   (29034): 01:11:04 PM RCV  (1106185368): <stream:features><sm xmlns="urn:xmpp:sm:3"/><ver xmlns="urn:xmpp:features:rosterver"/><mechanisms xmlns="urn:ietf:params:xml:ns:xmpp-sasl"><mechanism>PLAIN</mechanism></mechanisms><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression><auth xmlns="http://jabber.org/features/iq-auth"/></stream:features>
D/SMACK   (29034): 01:11:04 PM SENT (1106185368): <auth mechanism="PLAIN" xmlns="urn:ietf:params:xml:ns:xmpp-sasl">FooFooFooFoo==</auth>
D/SMACK   (29034): 01:11:05 PM RCV  (1106185368): <success xmlns="urn:ietf:params:xml:ns:xmpp-sasl"/>
D/SMACK   (29034): 01:11:05 PM SENT (1106185368): <stream:stream to="sub.domain.com" xmlns="jabber:client" xmlns:stream="http://etherx.jabber.org/streams" version="1.0">
D/SMACK   (29034): 01:11:05 PM RCV  (1106185368): <?xml version='1.0'?><stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' from='sub.domain.com' id='a2745bd7-6105-482e-8320-e2f211401124' version='1.0' xml:lang='en'>
D/SMACK   (29034): 01:11:05 PM RCV  (1106185368): <stream:features><sm xmlns="urn:xmpp:sm:3"/><ver xmlns="urn:xmpp:features:rosterver"/><session xmlns="urn:ietf:params:xml:ns:xmpp-session"/><compression xmlns="http://jabber.org/features/compress"><method>zlib</method></compression><bind xmlns="urn:ietf:params:xml:ns:xmpp-bind"/></stream:features>
D/SMACK   (29034): 01:11:05 PM SENT (1106185368): <iq id="7njcq-0" type="set"><bind xmlns="urn:ietf:params:xml:ns:xmpp-bind"><resource>Smack</resource></bind></iq>
D/SMACK   (29034): 01:11:05 PM RCV  (1106185368): <iq xmlns="jabber:client" type="result" to="northumberland@sub.domain.com/Smack" id="7njcq-0"><bind xmlns="urn:ietf:params:xml:ns:xmpp-bind"><jid>northumberland@sub.domain.com/Smack</jid></bind></iq>
D/SMACK   (29034): 01:11:05 PM SENT (1106185368): <iq id="7njcq-1" type="set"><session xmlns="urn:ietf:params:xml:ns:xmpp-session"/></iq>
D/SMACK   (29034): 01:11:05 PM RCV  (1106185368): <iq xmlns="jabber:client" type="result" to="northumberland@sub.domain.com/Smack" id="7njcq-1"/>
D/SMACK   (29034): 01:11:05 PM SENT (1106185368): <compress xmlns='http://jabber.org/protocol/compress'>
D/SMACK   (29034): 01:11:05 PM SENT (1106185368): <method>zlib</method></compress>
..hangs..
D/SMACK   (29034): 01:11:30 PM SENT (1106185368): <presence id="7njcq-2"></presence>
D/SMACK   (29034): User logged (1106185368): northumberland@sub.domain.com:5222/Smack
D/SMACK   (29034): 01:11:30 PM RCV  (1106185368): <presence from="northumberland@sub.domain.com/Smack" xmlns="jabber:client" to="northumberland@sub.domain.com" id="7njcq-2"/>

The compression is working also if I enable inter-domain communication within virtualhosts, so I wonder why it comes with domain restriction.

Regards


Replies (9)

Avatar?id=6023&size=32x32

Added by Artur Hefczyc TigaseTeam over 4 years ago

Wojciech has worked on the domain filter policy recently. He should have some suggestions for your problem.

Added by Wojciech Kapcia TigaseTeam over 4 years ago

Natale Vinto, can you try running this on the latest nightly? Can you also share your full init.properties (obscured) as well as log files (tigase-console.log, tigase.log.0) with the --debug=server,xmpp setting?

I was trying to replicate the issue but I wasn't able to hence my asking for the complete logs.

Added by Natale Vinto over 4 years ago

Hi Wojciech,

I've setup a fresh 5.3.0-SNAPSHOT-b3565 nightly build 2014-05-28 with this init.properties :

--virt-hosts = domain.net
--admins = admin@domain.net
--domain-filter-policy = OWN
--vhost-register-enabled = false
--user-db-uri = jdbc:mysql://127.0.0.1:3306/xmpp?user=foo&password=foo&useUnicode=true&characterEncoding=UTF-8&autoCreateUser=true
--user-db = mysql
config-type = --gen-config-def
--cluster-mode = false
--debug = server, dd, xmpp
--monitoring=jmx:9050,http:9080
c2s/processors[s]=urn:xmpp:sm:3
c2s/watchdog_delay[L]=60000
c2s/watchdog_timeout[L]=60000
c2s/watchdog_ping_type=xmpp

I have a default virtualhost for domain.net@, then I've added via Groovy a Vhost @sub.domain.net with default domain filter OWN (and there is another foo vhost pippo.subdomain.net)

I try to connect the user kingrichard@sub.domain.net requesting SASL authentication and ZLib compression with Smack 3.4

ConnectionConfiguration config = new ConnectionConfiguration(ipAddress, port, "sub.domain.net");
config.setCompressionEnabled(true);
config.setSASLAuthenticationEnabled(true);
config.setSecurityMode(ConnectionConfiguration.SecurityMode.required);
connection = new XMPPConnection(config);

and the connection still hangs about 25 seconds due 403 domain filter policy, also with the nightly build.

I've put tigase-log.0 and tigase-console.log on this link

Hoping this helps to understand

Thanks

Added by Natale Vinto over 4 years ago

Hi,

is there any update about the above issue? I have to disable domain filtering to let compression work in that scenario.

Bye

Avatar?id=6023&size=32x32

Added by Artur Hefczyc TigaseTeam over 4 years ago

Wojciech, did you have a chance to work on this? It looks like the traffic filtering in privacy lists should allow all the traffic for user's domain plus the 'hostname' of the server on which the Tigase is running.

Added by Wojciech Kapcia TigaseTeam over 4 years ago

I verified that the issue is valid and stems from the fact that server success response doesn't contain 'to' hence it's filtered out. I'm working on the fix.

Added by Natale Vinto over 4 years ago

ok thanks

Added by Wojciech Kapcia TigaseTeam over 4 years ago

A fix was pushed to the repository; now packets that are addressed internally (e.g. internal server commands to other components) won't be filtered blocked.

Added by Natale Vinto over 4 years ago

Hi,

I could successfully test in on latest nightly build and I can confirm that issue is resolved also by my side using OWN policy ad stream compression.

thanks

    (1-9/9)