MongooseIM SSL connection via AWS ELB

Question

I have MongooseIM server configured with docker-compose in an EC2 instance in AWS.

I intend to give access to some mobile clients with SSL through an ELB (AWS) on port 5222 (module ejabberd_c2s of mongooseim) in the following way:

     SSL (Secure TCP) -> 5222 -> TCP -> 5222  (EC2 Instance Port)

In the ejabberd_c2s module configuration I have the following:

    { 5222, ejabberd_c2s, [

                %%
                %% If TLS is compiled in and you installed a SSL
                %% certificate, specify the full path to the
                %% file and uncomment this line:
                %%
                {certfile, "priv/ssl/fake_server.pem"}, starttls,

                %%{zlib, 10000},
                %% https://www.openssl.org/docs/apps/ciphers.html#CIPHER_STRINGS
                %% {ciphers, "DEFAULT:!EXPORT:!LOW:!SSLv2"},
                {access, c2s},
                {shaper, c2s_shaper},
                {max_stanza_size, 65536},
                {protocol_options, ["no_sslv3"]}

               ]},

But customers can not connect, the only message I get on the server is this:

    mongooseim_server_dev | 10:58:25.885 [info] (#Port<0.27608>) Accepted connection {{10,0,17,246},42571} -> {{172,18,0,2},5222}
    mongooseim_server_dev | 10:58:25.885 [debug] Received XML on stream = "���yw�\��.ndEt�;�����fn�A>� n:�=5��</A
     "ngooseim_server_dev | ��kj98����g@32ED�(#
    mongooseim_server_dev | 10:58:25.885 [debug] Send XML on stream = <<"<?xml version='1.0'?><stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' id='2B421BCD2D077161' from='localhost' version='1.0'>">>
    mongooseim_server_dev | 10:58:25.886 [debug] Send XML on stream = <<"<stream:error><xml-not-well-formed xmlns='urn:ietf:params:xml:ns:xmpp-streams'/></stream:error>">>
    mongooseim_server_dev | 10:58:25.886 [debug] Send XML on stream = <<"</stream:stream>">>

The Mongoose documentation does not offer me any solution and I do not see anyone with this error.

Any help or clue?

Answer 1

From your description and MongooseIM log snippet I reckon that the client is starting an encrypted connection from the beginning - that's why the "Received XML" seems to be garbage.

In XMPP an initially plaintext connection is upgraded to a secure connection using STARTTLS. This should work fine with ELB with TCP forwarding and no TLS termination, you just have to make sure the client is not trying to use SSL/TLS from the get go, but uses STARTTLS. All popular XMPP libraries should have this option, it's part of core XMPP.

---

[...] it is easier to put an ELB TCP to TCP and encrypt by TLS once the connection is open?

Exactly.

I mainly use an ELB to avoid having to handle SSL by myself and if I can not get it, would it be better to directly expose the mongoose server to the Internet?

ELB can't be used for SSL termination for plain XMPP. The available options are:

1. ELB forwards plain TCP, MongooseIM plain XMPP listener is used - Client opens a TCP connection but upgrades it via STARTTLS, all EC2 instances require cert provisioning.

2. ELB is set up for HTTPS termination, MongooseIM uses BOSH listener - BOSH is XMPP over HTTP, so has some overhead, but the benefit of SSL/TLS offloading might be worth it, no headache with certs on EC2 instances.