Securing XMPP

Aim: Encrypt All XMPP Connections

This page provides instructions for XMPP server administrators to secure XMPP client and server connections ready for the following ubiquitous encryption manifesto test days:
 * January 4, 2014 - first test day requiring encryption
 * February 22, 2014 - second test day
 * March 22, 2014 - third test day
 * April 19, 2014 - fourth test day
 * May 19, 2014 - permanent upgrade to encrypted network

To achieve this, we need to:
 * Encrypt connections between clients and servers (c2s)
 * Encrypt server to server connections (s2s)

Step1: Get a server certificate
Let's say you run an XMPP service for  (jids of user@example.com), you will need to order a certificate for with a subject or alt-name of   (not  ) from your preferred cert provider (StartSSL offers free certificates and is quite good).

Step 2: Configure your DNS
Ensure that the following DNS records are set: _xmpp-server._tcp.example.com. 18000 IN SRV 0 5 5269 servername.example.com. servername.example.com. 18000 A 10.10.10.10 # you must have an A record for your server

You can test your DNS setup at xmpp.net

You may also want to Secure your DNS with DNSSEC

Step 3: Disable cleartext connections
These instructions will disable any cleartext communication between servers and client connections.

ejabberd
Configure ejabberd.conf % Ordinary client-2-server service [{5222, ejabberd_c2s, [{access, c2s}, starttls_required, {certfile, "/etc/ssl/certs/ejabberd.pem"}, {shaper, c2s_shaper}]}, % Use STARTTLS+Dialback for S2S connections {s2s_use_starttls, true}. {s2s_certfile, "/etc/ejabberd/ejabberd.pem"}.

Prosody
Ensure that prosody.cfg.lua contains the following settings in the global section of your config, or under the specific  you want to secure: c2s_require_encryption = true s2s_require_encryption = true

Further help:
 * Chatroom: prosody@conference.prosody.im
 * Documentation: Prosody.IM: Security

Tigase
See http://www.tigase.org/content/vhost-tls-required for more details: --vhost-tls-required = true

By default Tigase will read VHosts certificates from certs/ subdirectory match domain name against .pem filename of the certificate. Alternatively configuration for particular vhost certificate could be specified explicitly in init.properties: basic-conf/virt-hosts-cert- =path/to/cert.pem

--s2s-skip-tls-hostnames = domain1,domain2
 * TLS for s2s connection is enabled by default; no option to configure it as required (certain domains can be configured to skip TLS for s2s with following configuration. For more information: --s2s-skip-tls-hostnames):

Openfire
???

Step 4: Check your XMPP Security
Test your XMPP security to be sure.