Skip navigation
All Places > Ignite Realtime Blog > Author: Flow
1 2 Previous Next

Ignite Realtime Blog

24 Posts authored by: Flow Champion

(a)Smack 4.0.7 released

Posted by Flow Champion Feb 23, 2015

We just released (a)Smack 4.0.7. This is a bugfix only release.


It was found that the passed "hostname" argument to the configured HostnameVerifier in Smack 4.0 was server controllable, which could allow a malicious attacker to circumvention hostname verification. Hostname verification is disabled by default in Smack 4.0, but enabled by default in Smack 4.1. The faulty code was long ago removed in the Smack 4.1 branch, so most Smack 4.1 (pre-)releases are not affected.


As a reminder: The second release candidate of Smack 4.1 is available. Consider updating when possible, but please refer to the Smack 4.1 Readme and Upgrade Guide · igniterealtime/Smack Wiki · GitHub  first.


Smack 4.1.0-rc1 released

Posted by Flow Champion Feb 16, 2015

The Ignite Realtime community is happy to announce the first release candidate of the upcoming Smack version 4.1. Smack is an open source XMPP client library written in Java with multi-runtime support. It can be used with Java SE and Android runtimes. If you haven't done already now is the ideal time to grab Smack 4.1.0-rc1 and try it out. A '4.1' branch has been created, that will track the further development of Smack 4.1. The API of Smack 4.1 is now officially stable and will not change in an incompatible way between further 4.1 releases.


Smack 4.1.0-rc1 is available via Maven Central.

I'd like to thank everyone at FOSDEM 2015 and XMPP Summit for such a nice time and interesting talks. I sure haven't talk to all people at the XMPP Summit, but hope that we'll meet again soon. You can find my slides of my lightning talk "XMPP and Android" at


While travelling home from Brussels in the ICE, I was able to prepare and upload beta2 of Smack 4.1. Please update your build setups and report any issues in the forum.


Smack 4.1.0-beta1 available

Posted by Flow Champion Jan 14, 2015

The Ignite Realtime community is happy to announce the first beta version of the upcoming Smack version 4.1. Smack is an open source XMPP client library written in Java with multi-runtime support. It can be used with Java SE and Android runtimes. If you haven't done already now is the ideal time to grab Smack 4.1.0-beta1 and try it out. Compared to the alpha versions of 4.1 the API is considered stable and API changes are unlikely to happen.


Release highlights include support for XEP-198 Stream Management (disabled per default), improved multi-threading performance, improved MUC API and support for SCRAM SHA-1.


Everyone is invited to test beta1 in his projects. The community forum awaits your feedback and bug reports. Although the beta version has proven reliable so far, please only use it productive after intensive testing.


An incomplete list of API changes can be found in the Smack 4.1 Readme and Upgrade Guide. Please consult the Readme before using Smack 4.1.


As always, Smack 4.1.0-beta1 is available from Maven Central.


Smack 4.1.0-alpha1 available

Posted by Flow Champion Sep 13, 2014

After months of hard work it's at the time to release the first alpha version of Smack 4.1, the open source Java XMPP client library, for testing purposes.


Smack 4.1 marks a milestone in the development history of Smack, as it's the first version that runs native on Android. This means that aSmack is no longer required and will be phased out in the future. Future aSmack releases will be solely form the stable 4.0 branch.


Together with support for Android, Smack 4.1 also adds support for XEP-198 "Stream Management" in smack-tcp. XMPP connections with enabled Stream Management provide acknowledgments of sent stanzas (and acknowledges received stanzas to the server) and allow transparent stream resumption in case of a network outage (for example because of a WiFi ↔ GSM switch on Android).


Smack 4.1.0-alpha1 is now available from Maven Central and we would welcome interested and adventurous users to try this early alpha release and provide feedback. For more information about using Smack 4.1 and how to include it in your Android project, consult the "Smack 4.1 Readme and Upgrade Guide".


(a)Smack 4.0.0 released

Posted by Flow Champion Jun 8, 2014

5 months after the relase of Smack 3.4.1 the Ignite Realtime developer community is proud to annouce the first release of Smack 4, which marks a milestone in the development history of Smack. Smack has undergone a major overhaul and refactoring, including moving from Ant to Gradle and from SVN to git.


Smack 4 also includes security related fixes. Users are encouraged to update  as soon as possible.


Many people have helped to develop this release. We especially would like to thank


- Ryan Sleevi of the Google Chrome Security Team for reporting a security flaw in ServerTrustManager (SMACK-410)

- Thijs Alkemad for reporting a security flaw regarding IQ spoofing (SMACK-533, SMACk-538)

- Lars Noschinski for fixing the IQ spoofing flaws and adding support for roster versioning (SMACK-399)

- Jens Offenbach for helping making Smack an OSGi bundle (SMACK-343)


Since the API has changed in Smack 4, make sure to read the "Smack 4.0 Readme and Upgrade Guide".  A full changelog can be found in JIRA.


(a)Smack 4.0.0-rc2 released

Posted by Flow Champion May 25, 2014

Six weeks after the release of the first Release Candidate (-rc1) of Smack 4, the Ignite Realtime Community is proud to announce the release of the second and likely final Release Candidate.


Smack 4.0.0-rc2 contains many improvements and bug fixes. The API underwent some major changes and is considered stable. Now is the perfect time to test (a)Smack 4.0 if you haven't already. Smack is available from Maven Central (direct link). aSmack can be obtained from


Make sure to read the upgrade guide and the previous blog post about Smack 4.

We are happy to announce the release of (a)Smack 4.0.0-rc1. This is the first aSmack release that is in sync with Smack's codebase and therefore marks an important milestone for Smack on Android. It is also the first non-snapshot release that is going to be available on the Maven Central Repositories (SMACK-265).


Smack 4.0.0-rc1 includes some major changes and important improvements including security related fixes. While this is marked as release candidate, users are encouraged to update because some important security bugs have been fixed. Please consult the "Smack 4.0 Readme and Upgrade Guide" for further information regarding the changes between Smack 3.4 and 4.0.


Previous Smack versions suffered from a missing "Basic Constraints" check in ServerTrustManager (SMACK-410): this allowed anyone with a valid CA-signed certificate for any domain to generate a certificate for any other domain that would be accepted by Smack's ServerTrustManager. Moxie Marlinspike found the same error in IE back in 2002 and wrote a detailed summary about it:

We would like to thank Ryan Sleevi of the Google Chrome Security Team for reporting the issue to us.


The fix for Smack was simply removing ServerTrustManager and the related code altogether. ConnectionConfiguration now only has a setting for a custom SSLContext. We shifted the responsibility for TLS certificate validation out of the library to the user, where it belongs. A fixed version of ServerTrustManager may return as an optional module in a future Smack release. Contributions are, as always, welcome.


A second important security vulnerability often found in XMPP implementations was made public by Thijs Alkemad aka xnyhps early this year. Affected implementations did not properly verify the 'from' attribute of IQ responses and were therefore vulnerable to spoofed IQ packets. You can read more about it here:


Thijs also reported Smack as vulnerable in SMACK-533 and SMACK-538. Thanks to Lars Noschinski, patches were quickly provided and Smack is now immune.


(a)Smack 4.0.0-rc1 is considered mature. It is marked as release candidate because we have only a small number of people who are testing the current (a)Smack development snapshot. We ask everyone using Smack in some sort of staging, development or non-critical production environment to try 4.0.0-rc1 and report any problems or feedback to the community forums.


Thanks to everyone working on Smack 4.0:


git shortlog -sn 3.4.1..4.0.0-rc1

   166  Florian Schmaus

    10  Lars Noschinski

     4  Georg Lukas

     2  Vyacheslav Blinov

     2  rcollier

     1  Daniele Ricci

     1  Jason Sipula

     1  XiaoweiYan

     1  atsykholyas


Besides the mentioned security issues, Smack 4.0 contains also many new improvments and other bugfixes. An overview of all resolved issues in Smack 4.0.0-rc1 can be found in JIRA


Smack 4.0.0-rc1 can be downloaded from maven central

aSmack 4.0.0-rc1 is avaiable as jar at

Hi there, I'm Smack's new maintainer. Some of you may know me already as the maintainer of aSmack, the Android port of Smack. I first like to thank Robin for his work on Smack in the past.


Smack has a long development history. The first recorded commit dates back to Jan 13 2003. Now, over 11 years later, we are going make fundamental changes to Smack in order to ensure that it will last another decade.


Most importantly: Ignite Realtime is applying as Google Summer of Code organization. We propose a project to modernize and modularize Smacks build system. One reason why this is necessary, is that we want Smack to be able to target Java SE and Android. Read more about it here.


Smacks SVN repository has been migrated to git, and the code is now hosted on GitHub. We are currently evaluating hosting the code in our own Atlassian Stash, but that isn't decided yet and is not a high priority right now.


Let's have a look at Smack's contributors of the last 11 years:


   513  Gaston Dombiak

   474  Matt Tucker

   123  rcollier

   105  Thiago Camargo

   104  Florian Schmaus

    69  Alex Wenckus

    46  Bill Lynch

    43  Derek DeMoro

    24  Günther Niess

    15  Daniel Henninger

    12  Henning Staib

    11  loki

     7  Michael Will

     7  Wolf Posdorfer

     7  guus

     6  Holger Bergunde

     6  Jeff Williams

     5  Jay Kline

     4  Marilyn Daum

     3  Francisco Vives

     2  bruce

     1  (no author)

     1  Andrew Wright

     1  Pete Matern

     1  Tim Jentz

     1  root


Hopefully this list will grow over the time. If you'd like to contribute bigger patches to Smack, please consult the developers. Either via IRC #smack (freenode) or via the developers forum. All patches will be reviewed, since there are usually a few things that should be improved before the commit is ready for Smack's master branch. Make also sure to read the Guidelines for Smack Developers and Contributors.


Besides the GSOC project, there are more goodies in the queue, like XEP-0198 Stream Mangament and Roster Versioning.


We also work on migrating the build system to gradle, including deployments to sonatype/maven central. I expect the next release to be available as jar and via maven central.


Finally, shortly after the 3.4.0 release, a memory leak was reported in the forum. The cause was identified 6 hours later, and a fixed nighlty release was made availabe shortly after. I am going to use this importand fix as reason to release Smack 3.4.1 today, in order to get familar with the release process of Smack.

Filter Blog

By date: By tag: