文档链接:《Extensible Messaging and Presence Protocol (XMPP): Core》
客户和服务器之间端口为5222,服务器之间的端口为5269.
通信协议格式:
|--------------------|| <stream> ||--------------------|| <presence> || <show/> || </presence> ||--------------------|| <message to='foo'> || <body/> || </message> ||--------------------|| <iq to='bar'> || <query/> || </iq> ||--------------------|| 
||--------------------|| </stream> |
客户端和服务器之间维持一个TCP连接,服务器之间维持两个TCP连接。
想传输数据之间必须得通过验证,否则不予处理
To:用于客户端到服务器端,
From:用于服务器到客户端
Id:用于服务器到客户端,是服务器端生成的会话id号
Xml:lang:包括在客户端的初始流种,指定XML数据的字体,服务器端应该记住此设置,若客户端没有设置,则服务器使用其默认配置,并在应答流中通知给客户端。
| initiating to receiving | receiving to initiating---------+---------------------------+-----------------------to | hostname of receiver | silently ignoredfrom | silently ignored | hostname of receiverid | silently ignored | session keyxml:lang | default language | default languageversion | signals XMPP 1.0 support | signals XMPP 1.0 support
若客户端在初始化流包中包含了版本字段,则服务器在应答中必须包含一个<features/>元素,从而让客户端知道服务器支持的特性是哪些,以便客户端和服务器就某些特性进行协商。
流级别的错误是不可恢复的,因此一旦出现,则探测到错误的实体必须发送一个流错误信息给对方,并且发送</stream>结束符,关闭底层TCP连接。
一次简单的会话示例:
C: <?xml version='1.0'?> <stream:stream to='example.com' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>S: <?xml version='1.0'?> <stream:stream from='example.com' id='someid' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'> encryption, authentication, and resource binding C: <message from='juliet@example.com' to='romeo@example.net' xml:lang='en'>C: <body>Art thou not Romeo, and a Montague?</body>C: </message>S: <message from='romeo@example.net' to='juliet@example.com' xml:lang='en'>S: <body>Neither, fair saint, if either thee dislike.</body>S: </message>C: </stream:stream>S: </stream:stream>
一次发生错误的会话:
C: <?xml version='1.0'?> <stream:stream to='example.com' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'>S: <?xml version='1.0'?> <stream:stream from='example.com' id='someid' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'> encryption, authentication, and resource binding C: <message xml:lang='en'> <body>Bad XML, no closing body tag! </message>S: <stream:error> <xml-not-well-formed xmlns='urn:ietf:params:xml:ns:xmpp-streams'/> </stream:error>S: </stream:stream>
出于安全性的考虑,在客户和服务器之间,服务器之间可能会要求先进行TLS 安全性的验证,而且必须在SASL协商之前完成。
客户到服务器示例:
Step 1: 客户端初始化到服务器端的流: <stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' to='example.com' version='1.0'>Step 2: 服务器的应答,回送一个<stream>标签,并指明会话id: <stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' id='c2s_123' from='example.com' version='1.0'>Step 3: 服务器发送STARTTLS extension 给客户端,并且指明验证机制和其他支持的流特性: <stream:features> <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'> <required/> </starttls> <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> <mechanism>DIGEST-MD5</mechanism> <mechanism>PLAIN</mechanism> </mechanisms></stream:features>Step 4:客户端发送STARTTLS命令给服务器: <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>Step 5: 服务器通知客户端,它被允许继续处理: <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>Step 5 (alt): 服务器通知客户,TLS协商失败,关闭流和TCP连接: <failure xmlns='urn:ietf:params:xml:ns:xmpp-tls'/></stream:stream>Step 6:客户端和服务器端准备在现有的TCP连接上完成TLS验证。Step 7: 若TLS验证成功,客户端初始化一个到服务器的新流: <stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' to='example.com' version='1.0'>Step 7 (alt): 若TLS验证失败,服务器关闭TCP连接Step 8:服务器回送应答信息,包含了一个流头部和其他可用的流特性: <stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' from='example.com' id='c2s_234' version='1.0'><stream:features> <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> <mechanism>DIGEST-MD5</mechanism> <mechanism>PLAIN</mechanism> <mechanism>EXTERNAL</mechanism> </mechanisms></stream:features>Step 9: 客户端继续进行SASL验证。 服务器到服务器示例:
Step 1: Server1 initiates stream to Server2: <stream:stream xmlns='jabber:server' xmlns:stream='http://etherx.jabber.org/streams' to='example.com' version='1.0'>Step 2: Server2 responds by sending a stream tag to Server1: <stream:stream xmlns='jabber:server' xmlns:stream='http://etherx.jabber.org/streams' from='example.com' id='s2s_123' version='1.0'>Step 3: Server2 sends the STARTTLS extension to Server1 along with authentication mechanisms and any other stream features: <stream:features> <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'> <required/> </starttls> <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> <mechanism>DIGEST-MD5</mechanism> <mechanism>KERBEROS_V4</mechanism> </mechanisms></stream:features>Step 4: Server1 sends the STARTTLS command to Server2: <starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>Step 5: Server2 informs Server1 that it is allowed to proceed: <proceed xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>Step 5 (alt): Server2 informs Server1 that TLS negotiation has failed and closes stream: <failure xmlns='urn:ietf:params:xml:ns:xmpp-tls'/></stream:stream>Step 6: Server1 and Server2 attempt to complete TLS negotiation via TCP. Step 7: If TLS negotiation is successful, Server1 initiates a new stream to Server2: <stream:stream xmlns='jabber:server' xmlns:stream='http://etherx.jabber.org/streams' to='example.com' version='1.0'>Step 7 (alt): If TLS negotiation is unsuccessful, Server2 closes TCP connection. Step 8: Server2 responds by sending a stream header to Server1 along with any available stream features: <stream:stream xmlns='jabber:server' xmlns:stream='http://etherx.jabber.org/streams' from='example.com' id='s2s_234' version='1.0'><stream:features> <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> <mechanism>DIGEST-MD5</mechanism> <mechanism>KERBEROS_V4</mechanism> <mechanism>EXTERNAL</mechanism> </mechanisms></stream:features>Step 9: server1继续进行SASL验证
在TLS验证后,进行SASL验证
客户到服务器示例:
Step 1: 客户端初始到服务器的流:
<stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' to='example.com' version='1.0'>Step 2:服务器发送应答:
<stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' id='c2s_234' from='example.com' version='1.0'>Step 3:服务器通知客户可选的验证机制:
<stream:features> <mechanisms xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> <mechanism>DIGEST-MD5</mechanism> <mechanism>PLAIN</mechanism> </mechanisms></stream:features>Step 4: 客户端选择一种验证机制:
<auth xmlns='urn:ietf:params:xml:ns:xmpp-sasl' mechanism='DIGEST-MD5'/>Step 5: 服务器发送BASE64编码过的应答数据给客户端:
<challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>cmVhbG09InNvbWVyZWFsbSIsbm9uY2U9Ik9BNk1HOXRFUUdtMmhoIixxb3A9ImF1dGgiLGNoYXJzZXQ9dXRmLTgsYWxnb3JpdGhtPW1kNS1zZXNzCg==</challenge>解码后的数据为:
realm="somerealm",nonce="OA6MG9tEQGm2hh",\qop="auth",charset=utf-8,algorithm=md5-sessStep 5 (alt):服务器返回错误给客户端:
<failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> <incorrect-encoding/></failure></stream:stream>
Step 6: 客户端发送一个BASE64编码的应答数据给服务器:
<response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>dXNlcm5hbWU9InNvbWVub2RlIixyZWFsbT0ic29tZXJlYWxtIixub25jZT0iT0E2TUc5dEVRR20yaGgiLGNub25jZT0iT0E2TUhYaDZWcVRyUmsiLG5jPTAwMDAwMDAxLHFvcD1hdXRoLGRpZ2VzdC11cmk9InhtcHAvZXhhbXBsZS5jb20iLHJlc3BvbnNlPWQzODhkYWQ5MGQ0YmJkNzYwYTE1MjMyMWYyMTQzYWY3LGNoYXJzZXQ9dXRmLTgK</response>解码后的应答消息是:
username="somenode",realm="somerealm",\nonce="OA6MG9tEQGm2hh",cnonce="OA6MHXh6VqTrRk",\nc=00000001,qop=auth,digest-uri="xmpp/example.com",\response=d388dad90d4bbd760a152321f2143af7,charset=utf-8Step 7: 服务器发送第二个BASE64编码的challenge数据给客户:
<challenge xmlns='urn:ietf:params:xml:ns:xmpp-sasl'>cnNwYXV0aD1lYTQwZjYwMzM1YzQyN2I1NTI3Yjg0ZGJhYmNkZmZmZAo=</challenge>
解码后的challenge是:
rspauth=ea40f60335c427b5527b84dbabcdfffd
Step 7 (alt): 服务器返回错误给客户:
<failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> <temporary-auth-failure/></failure></stream:stream>Step 8: 客户返回应答消息给服务器:
<response xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>
Step 9: 服务器通知客户成功通过验证:
<success xmlns='urn:ietf:params:xml:ns:xmpp-sasl'/>
Step 9 (alt):服务器通知客户验证失败:
<failure xmlns='urn:ietf:params:xml:ns:xmpp-sasl'> <temporary-auth-failure/></failure></stream:stream>
Step 10:客户端初始化一个到服务器的新流:
<stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' to='example.com' version='1.0'>Step 11: 服务器返回一个流头部,包含了服务器支持的流特性:
<stream:stream xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams' id='c2s_345' from='example.com' version='1.0'><stream:features> <bind xmlns='urn:ietf:params:xml:ns:xmpp-bind'/> <session xmlns='urn:ietf:params:xml:ns:xmpp-session'/></stream:features>
