Prosodical Thoughts

Prosody 0.8.2 released

2011-06-20T14:38:43Z

Hi all. Just a small release for you this time, with a handful of bugfixes. Thanks to '@eoranged' and the other PostgreSQL users who helped with feedback and testing of the SQL fixes (the PostgreSQL server we use for testing is now behaving properly!).

A summary of changes in this release:

mod_storage_sql: Fix compatibility with PostgreSQL databases (0.8.1 issue)
mod_bosh: Fix for sessions not timing out after inactivity in some cases
mod_dialback: Fix multiple concurrent dialback requests for the same domain (was sometimes causing s2s failure with certain ejabberds)

Download

Windows: Installer | Zip

Debian/Ubuntu: 32-bit | 64-bit

Source tarball: prosody-0.8.2.tar.gz

Prosody 0.8.1 released

2011-06-04T18:55:19Z

This is a security and bugfix release for the 0.8 branch. This release contains fixes for a couple of major issues, and it is strongly recommended that you upgrade.

Some of you may already be aware of the "billion laughs" denial-of-service attack which was discovered to work against a number of XMPP servers recently. Due to accidental oversight the Prosody team was not notified ahead of the issue being made public, so we have worked hard the past few days to prepare this release as soon as we could.

In addition to upgrading Prosody, you MUST also upgrade the LuaExpat library to 1.2.0 to prevent the attack - this should hopefully be arriving in your distribution shortly, alternatively it can be installed using luarocks. See our dependencies page for details.

If you are a packager and are looking for backported patches to older Prosody versions, please see the 0.8.1 release notes.

A summary of changes in this release:

Reject XML DTDs, comments and processing instructions, preventing the "billion laughs" attack
Switch to MEDIUMTEXT in the schema for MySQL to avoid truncating large data (such as large avatars) Prosody automatically upgrades the table in-place if possible, see our MySQL documentation for more information.
Fix for endless loop when parsing certain invalid JSON
Fix PostgreSQL compatibility in prosody-migrator
Fix timestamp parsing for DST (affecting MUC scrollback retrieval)
mod_legacyauth now correctly disabled for unencrypted connections by default
Components properly inherit SSL settings and certificates from their 'parent' hosts
Prevent startup with no VirtualHost entries in the config file

As usual if you need help or have any questions about installing/upgrading, feel free to ask.

Download

Windows: Installer | Zip

Debian/Ubuntu: 32-bit | 64-bit

Source tarball: prosody-0.8.1.tar.gz

An Introduction to Lua - London

2011-04-18T01:43:25Z

A heads-up for those in the London area and looking for something to do on Tuesday evening. Matthew is going to be giving a talk introducing the basics of Lua, and talking a bit about why we chose Lua for Prosody, and how it has benefited the project.

Anyone is welcome, space permitting, and registration is free via Lanyrd (Twitter account required) or Superdevs (OpenID required).

Prosody 0.8.0 released!

2011-04-07T14:37:04Z

Hurrah! We're very pleased to announce the release of Prosody 0.8.0.

This release includes a number of anticipated new features, which we'll take a tour of below. But before that we would like to thank everyone who has helped with this release - our strong community makes Prosody what it is.

In particular I'd like to thank Florian Zeitz, Kim Alvefur, Jeff Mitchell, Robert Hoelz, Paul Aurich, Dwayne Bent, Tobias Tom and Brian Cully for their contributions to this release.

And a quick word about 0.9, which is already underway. As always we're looking for testers and contributors to help shape the next release. We currently have pubsub, secure federation using certificate authentication and IPv6 support in various stages of development in trunk.

So, now to what's new in 0.8. Let's see...

Pluggable authentication

Prosody already supported various authentication mechanisms via Cyrus SASL. However Cyrus SASL is, as anyone who has used it will agree, not the easiest piece of kit to configure.

Prosody 0.8 brings us the option of authentication modules, which handle the validation of credentials for a given domain.

The primary two authentication modules provide plaintext and hashed password storage. The hashed storage module was originally developed by Jeff Mitchell, and made to use the SCRAM standard format for storing the hashed passwords. As far as we are aware Prosody is the only open-source XMPP server to support this secure format for password storage.

It's worth noting that both plain and hashed storage have different advantages and drawbacks, which we discuss in our article "Plain or hashed password storage?".

In addition there are beta and community modules for authenticating against LDAP, an external process/script, and even two-factor authentication using YubiKey devices. This list is set to grow, and we encourage anyone to suggest or contribute new authentication modules.

Pluggable storage

Authentication wasn't the only area to gain some extensibility. The number of requests we received to link Prosody up with different storage systems, ranging from stock MySQL and PostgreSQL setups to Mongo and CouchDB encouraged us to develop our storage API to allow any plugin to provide storage drivers.

Prosody's beloved file-based driver remains the default, but we have added an SQL storage plugin for those who need something more powerful, or who need to easily share the data with other applications such as web services. This module currently supports MySQL, PostgreSQL and SQLite3.

If you have a favourite database that you want Prosody to support, now is the time to get hacking!

Ad-hoc commands

Florian Zeitz developed ad-hoc command support for Prosody a while back, but 0.8 is the first release to include it as standard. Ad-hoc commands allow you to control and configure the server from within your XMPP client, using a form-driven interface.

Multi-user conference improvements

Our MUC module was missing a number of useful features that we have added in 0.8. These include members-only and invite-only rooms, and restricting room creation to local users as well as admins.

Other features

As usual we've added a large number of other small features and enhancements that are too numerous to list here. You'll just have to download the release and be surprised!

Download

Windows: Installer | Zip

Debian/Ubuntu: 32-bit | 64-bit

Source tarball: prosody-0.8.0.tar.gz

JSON Encodings for XMPP

2011-04-01T19:00:52Z

By popular demand from some parts of the web community the XSF published a new XMPP extension today - XEP-0295. At long last this XEP brings us a standard for XMPP streams that employ the standard lightweight data interchange format known as JSON.

We all know that JSON is simple, light and fast - and of course these properties align very well with the Prosody project. For that reason, we have been working hard all day to provide the first implementation of this new stream format... and are happy to announce the immediate release of mod_json_streams!

Simply install mod_json_streams as you would any other plugin (requires Prosody 0.8) and you can start using JSON streams right away! More documentation can be found on the prosody-modules wiki page for mod_json_streams.

While client developers can now rally to implement XEP-0295 in their software, we have already developed a plugin for the popular Strophe JS library to allow web developers to incorporate this into their projects right away. After loading this Strophe connection plugin simply point Strophe at http://your-server:5280/jsonstreams and watch the JSON fly!

Those interested will be glad to know that we are already at work on our next big interface - HTML(5) based streams, complete with support for optional closing tags in stanzas, and an embedded scripting language for manipulating them once they reach clients.

Prosody 0.8.0rc2 available for testing

2011-03-02T05:47:48Z

Time for a new release candidate for 0.8! If you aren't familiar with the new features in 0.8 yet, please refer to our announcement of 0.8.0rc1.

No major issues have been found since RC1, but we've found and fixed a number of minor ones, and sneaked in a couple of small features we've been working on that didn't quite make RC1 in time.

This includes a new migrator for moving data from the current file-based backend to the SQL backend, and vice-versa. The plan is to merge our other migration utilities for ejabberd and XEP-0227 into this one, and create the ultimate data migration tool :)

Download links are down below as usual, but here follows a summary of the changes made since RC1:

mod_storage_sql: Display friendlier error when LuaDBI is not found on the system
Fix a config issue that prevented disabling a module on a specific host
Some internal cleanup and performance improvements in the stanza building API
Log and gracefully handle errors in HTTP request handlers
PEP: Fix resending published items on contact presence change
MUC: Add option to choose whether participants can change the subject
MUC: Some fixes to affiliation management permissions
Support for multiple plugin directories (now possible to load directly from a prosody-modules repo checkout, for example, or from a custom dev directory)
Stricter checking of the 'type' attribute on iq and presence
Add new migration tool, for moving data between the file and SQL backends
Make the new logging config syntax compatible with log sinks like "syslog"
Add a "module.path" for plugins to know where they were loaded from
Adjust some logging levels around s2s to make it less verbose by default
Remove hereto undocumented 'sasl_realm' config option
SCRAM: Fix escaping issue with commas in usernames

As always feedback is welcome on anything in the release. Documentation for the new data migrator can be found on our site.

Download

Windows

Debian/Ubuntu

Source

Tarball

Prosody 0.8.0RC1 available for testing

2011-01-13T16:51:02Z

Hello everyone!

Finally, the announcement everyone has been waiting for... we're very proud to present a release candidate for Prosody 0.8.0!

Prosody 0.8 contains a number of features that people have been eager to see. In particular it is now easy to extend Prosody's authentication and storage via plugins. This means Prosody can grow to support a large range of databases and 3rd-party authentication systems.

This is a non-exhaustive list of changes since 0.7:

Support for pluggable storage backends, including:
- File-based (still the default)
- SQL, supporting SQLite, MySQL and PostgreSQL
- More (beta) in prosody-modules
Support for pluggable authentication backends
- Plain (still the default)
- Hashed (passwords are not recoverable from storage)
- Cyrus SASL
- Anonymous (no credentials required)
- More (beta) in prosody-modules
Ad-hoc commands are now included by default, to allow managing Prosody via your XMPP client.
The built-in mod_muc for hosting chatrooms gained many new features, including password-protected and members-only/invite-only rooms.
Components such as gateways and transports can securely be prevented from being accessed by remote servers (disallow_s2s = true).
BOSH: Support for preserving the client's real IP through trusted proxies.

If you are packaging Prosody then you should take a look at our documentation for packagers for more notes about this release related to building and packaging.

If there are no major issues found in this RC then the final 0.8.0 release will be made in the next couple of weeks.

All feedback is welcome, especially from people testing SQL storage. We are working on putting together a migrator to move data from one storage backend to another, expect that to be announced here soon. For more info see out storage documentation.

Known issues

Since packaging and testing RC1 we have found a couple of small issues that will be corrected in the final release:

The 'authentication' option is not documented in the config file. See this documentation for now.
Tracebacks are shown if SQL storage is selected but LuaDBI is not installed. See this page for installation instructions.
The Windows build does not include LuaDBI. Addon packages for SQLite and MySQL are provided separately.

Download

Windows

Debian/Ubuntu

Source

Tarball

Prosody nightly builds

2010-07-13T17:36:59Z

For quite a while we have made it easy to get snapshots of the latest Prosody source, and also provided a 64-bit Debian package (prosody-dev) that tracks Prosody's main development branch.

We just completed the last pieces of a new system for building regular nightly builds for each of our active branches. Produced every day at 5AM UTC are builds of a source tarball and Debian/Ubuntu 32-bit and 64-bit packages.

Eventually we plan to extend this system to building for various other platforms (including Windows).

You can find all the builds at http://prosody.im/nightly/.

The Debian packages are automatically uploaded every night to our package repository, and the packages are named according to the branch they are built from. Currently available are: prosody-0.6, prosody-0.7, and prosody-trunk (this last is always following the very latest development code).

The build server is generously donated by Florian Thießen, who also runs a public service running Prosody, thiessen.im.

Prosody 0.7.0 released

2010-06-14T18:19:56Z

We did it! We are very pleased to announce the release of Prosody 0.7.0.

Download links are below, but first let's take a look at some of the new features...

Efficient connection handling

One of the most significant changes in Prosody 0.7 is the added support for libevent, meaning Prosody can efficiently handle very large numbers of connections on a variety of platforms using epoll, kqueue, and a range of other mechanisms.

For more information see our libevent documentation.

Cyrus SASL authentication

There is also now support for Cyrus SASL to handle authentication, allowing the use of LDAP, PAM, SQL or a range of other authentication methods such as GSSAPI.

For more information see our Cyrus SASL backend documentation.

SCRAM authentication

Tobias Markmann has also added support for SCRAM, a new authentication mechanism that solves a lot of the problems and weaknesses found in the current and widely-used mechanisms. Prosody's SCRAM support has been successfully tested against development versions of Pidgin, Pandion, Gajim, Psi, Telepathy and the newcomer Swift.

Also in the area of authentication and security, we have decided to make Prosody advertise the 'PLAIN' SASL mechanism by default only when the client's connection to the server is encrypted. This means that even when encryption isn't enforced, clients will never be transmitting passwords in a form that can easily be reversed.

Privacy lists

For a while Thilo Cestonaro has been busy contributing plugins to our prosody-modules project. Finally this release pulls in two of his plugins, mod_privacy and mod_proxy65.

Privacy lists allow users to configure custom filters for messages, presence and queries. This is already supported by most clients, which allow you to create very flexible rule-based filters.

Sometimes privacy lists are far more powerful than you need though, so we also have a plugin (currently experimental) for a protocol known as "Simple Communications Blocking", which allows you to simply configure a list of JIDs you wish to block all communications with.

File transfer proxying

File transfer in XMPP has been notoriously unreliable. This is in large part due to ever-increasing presence of firewalls and NAT routers between users, preventing connections directly between clients.

Using mod_proxy65, a client can request that Prosody acts as an intermediary in a file transfer - both clients connect to the server, and the server will relay data between them.

Most clients already support this protocol (XEP-0065, as the name suggests), and so once configured on the server it should work with any modern client out of the box.

Setting up the file transfer proxy is described in our mod_proxy65 documentation.

Port multiplexing

An experimental new feature allows you to configure Prosody to run more than one kind of service on a single port. As an example you can handle both client-to-server and server-to-server connections on a single port, in fact, it even supports HTTP and BOSH! This means that you could serve XMPP clients on port 80, and still serve files over HTTP and allow BOSH connections on that port.

To try it out, simply set the list of ports in the config, for example: "ports = { 5222, 80 }" - no need to specify which service(s) each port is for.

Further port configuration is described in our documentation.

Error notification

Another relatively minor, but very useful change is that when Prosody fails to deliver a message over a server-to-server connection, it includes in the generated error message what caused the failure. The feature is probably best described with a screenshot (this is of Gajim):

By providing this information we can allow client developers to provide better user interfaces. Error handling and reporting is in our experience one area where all the major clients have a lot of room for improvement. Hopefully this can help them on their way to more explanatory errors.

Proxy-less BOSH

BOSH is a great technology which allows XMPP to be used from web pages. However it has traditionally been rather restricted by Javascript's "same-origin" policy, which prevents a page from connecting to the XMPP server unless it is on the same domain and port.

Until now this has been solved by using a server proxy on the page's domain to forward requests to the XMPP server, or to use Flash to make the requests, via flxhr.

However browsers now are beginning to support a new specification known as Cross-Origin Resource Sharing (CORS). This allows a browser to ask for permission from the remote domain to send requests there.

Support for CORS is now implemented in Prosody, and a browser also supporting CORS can connect to Prosody via BOSH without using a proxy, and without using Flash. CORS works out of the box with Strophe.js.

Details on configuring CORS support to suit your setup can be found in our BOSH documentation.

Other changes

This release includes many other changes, features and improvements. These include compression for server-to-server streams, disabling support for the insecure SSLv2 protocol, fixes to make PEP support compatible with User Avatar, and non-anonymous rooms and room destruction for MUC.

There have also been numerous changes to improve performance, and compliance with the latest XMPP specifications.

As always, you can reach us in any of the usual places for feedback, bug reports or words of thanks :-)

Download

Windows: Installer | Zip

OS X: Installer (requires OS X 10.5 or newer, Intel (32bit/64bit) and PowerPC (32bit))

Debian/Ubuntu: 32-bit | 64-bit

Source tarball: prosody-0.7.0.tar.gz

Prosody 0.7.0RC2 available for testing

2010-05-26T18:18:36Z

It's been a while, but we're back with a new release candidate for Prosody 0.7.0! The last one gave us valuable feedback and caught issues we'd never have caught without all our users who helped with the testing. Thanks!

So, now for RC2. The links to download are below. There have been quite a few fixes and improvements, here is the list of changes since RC1:

SASL SCRAM updated for the latest specifications.
More robust handling of running out of file descriptors.
Replaced broadcast_message_policy with ignore_presence_priority for compatibility with the new XMPP specifications.
Option consider_bosh_secure for those using HTTPS->HTTP proxies and Prosody's encryption enforcement.
Fixes and optimisations for mod_privacy.
Support for canonicalizing credentials sent to Cyrus SASL.
Fix for HTTPS server handling of large client->server payloads.
Fix for ghost BOSH users triggered by using Apache for proxying, Firefox as a browser or a range of other random variables :)
mod_proxy65 now works with libevent backend.
Fix MUC issue preventing role changes by non-owners.
Fix timers not firing when using libevent.
Fix namespacing of stanzas sent over s2s connections.
Don't re-send data when connection closes, causing high CPU usage.
Add s2s_allow_encryption option to allow disabling encryption for s2s.
Improve error reporting when using Cyrus SASL.
Make mod_groups (shared rosters) work with roster versioning clients.
Fix compression to work with Pandion, and clients which negotiate it immediately after SASL and before resource binding.
Handle multiple IPs per nameserver statement in resolv.conf
Improve the handling of errors received from OpenSSL when loading certificates.

If you want to give 0.7.0 a try before the final release, download it below, and let us know how you get on. If all goes well then we'll be releasing 0.7.0 final shortly!

Download

Windows: Installer | Zip

OS X: Installer (requires OS X 10.5 or newer, Intel (32bit/64bit) and PowerPC (32bit))

Debian/Ubuntu: 32-bit | 64-bit

Source tarball: prosody-0.7.0rc2.tar.gz

Prosody 0.6.2 released

2010-04-28T14:05:48Z

We are pleased to announce the release of Prosody 0.6.2.

This release fixes a bucketful of issues, some big, some small. The most notable changes include:

Disable SSLv2 by default, as it is insecure
Fix a bug that could cause invalid XML to be sent to clients
In some cases data sent immediately before socket close could be lost
c2s/s2s require_encryption options now do what they say on the tin
Improved detection of already-running Prosody instances
Fixed a small memory leak in HTTP/BOSH
Ensure that the namespace on sent s2s stanzas is always jabber:server
Fix to correct the algorithm used in selecting SRV targets from DNS

In addition we have slightly reformatted the default configuration file, in an attempt to make first-time configuration easier, based on feedback received from users. All existing configuration files work with no changes required.

Thanks to everyone who has helped find and report bugs, and help test the fixes for this release. We couldn't have done it without you :)

Download

Windows: Installer |Zip

Debian/Ubuntu: 32-bit | 64-bit

Source tarball: prosody-0.6.2.tar.gz