[JDEV] Re: OOB filetransfer negotiation

Robert Temple Robert.Temple at dig.com
Tue Aug 14 15:32:15 CDT 2001

The jabber:iq:oob packets can be used along with the mini-HTTP server
to ensure that only the intended person downloads the file, even if 
someone is sniffing the Jabber messages.

Here is the sequence of events that we use when client A wants to 
send client B a file.  

1. Client A starts up its mini-web server, generates a unique URI 
for that file and sends a jabber:iq:oob packet through the Jabber 
server, with the URL for that file.

2. Client B reads the jabber:iq:oob packet and tries to connect to
that URL.

3. Client A's HTTP server gets the new connection and request for that
URI and sends its HTTP headers back to client B.  After sending the 
headers, the HTTP server waits for a response to the original iq 
before sending the file.  It waits to make sure that it is client B 
that is trying to download that file.

4. Client B reads the HTTP headers and sends a jabber:iq:oob with
a type='result' attribute packet back through the jabber server.
This tells client A that it has successfully connected and 
successfully requested the file from the web server.

5. Client A reads the iq result packet from the jabber server and 
proceeds with sending the file through the HTTP server.

6. Client A shuts down its mini-web server if no more file transfers
are pending.

If for some reason client B cannot connect to client A's HTTP server,
or if client B decides it doesn't want to download the file, then client 
B sends an error as the response to the iq and A rejects any downloading
from that URI.

As far as I know, this is the correct way to send files in Jabber and
ensure that the files go to the right person.

There was a good discussion jabber:iq:oob about it in November, look 
for the jabber:iq:oob thread.


> -----Original Message-----
> From: Jens Alfke [mailto:jens at mac.com]
> Sent: Tuesday, August 14, 2001 9:24 AM
> To: jdev at jabber.org
> Subject: [JDEV] Re: OOB filetransfer negotiation
> On Monday, August 13, 2001, at 05:05 PM, Julie wrote:
> >   From my understanding of the descriptions of the two iq 
> tags, they 
> > are used only
> > to send the URL to the client.  The client then goes to the URL to 
> > retrieve the
> > file.  Am I right?  Is there anyway to do a direct client-to-client 
> > file transfer?
> Yes — run a tiny HTTP server on the sending client that can 
> deliver the 
> file to the recipient. Then the sender just creates a URL 
> with its own 
> IP address as the host. In my client I use a random port 
> number and also 
> make up a random 64-bit number to put in the URL before the 
> name of the 
> file, just to make it harder for a 3rd party to find the file (unless 
> they intercept the Jabber message, in which case all bets are 
> off.) So 
> the URL I send would look like:
> http://my.ip.address:randomportnumber/sixteenrandomhexdigits/n
> ameoffile
> However, this only works if the receiver can make an HTTP 
> connection to 
> the sender, i.e. the sender is not behind a firewall or NAT.
> --Jens
> _______________________________________________
> jdev mailing list
> jdev at jabber.org
> http://mailman.jabber.org/listinfo/jdev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20010814/bfeecbb7/attachment-0002.htm>

More information about the JDev mailing list