217
edits
Neustradamus (talk | contribs) m |
|||
(54 intermediate revisions by 9 users not shown) | |||
Line 1: | Line 1: | ||
= | == Clients == | ||
need to add something... | |||
== Servers == | |||
An XMPP Server is considered secure when the following (minimum) items are present: | |||
* The server is running with a server certificate | |||
* The server is configured to not allow any cleartext communications - S2S and C2S | |||
* The server supports XEP-198 | |||
* ... | |||
== | === Step1: Get a server certificate=== | ||
Let's say you run an XMPP service for <code>domain.tld</code> (jids of user@domain.tld), you will need to order a certificate for with a subject or alt-name of <code>domain.tld</code> (not <code>server.domain.tld</code>) from your preferred cert provider. The certificate should also include alt-names for subomains such as <code>conference.domain.tld</code>, at least for services that should be accessible to remote users. | |||
=== Step 2: Disable cleartext connections === | |||
These instructions will disable any cleartext communication between servers and client connections. | |||
==== ejabberd ==== | |||
Make sure that your ''ejabberd.yml'' contains the [http://docs.ejabberd.im/admin/guide/configuration/#listening-ports following settings]. | |||
* For ejabberd >= 17.12 list all available PEM files in this top-level option | |||
certfiles: | |||
- "/etc/ejabberd/*.pem" | |||
* For client-to-server connections: | |||
listen: | |||
- | |||
port: 5222 | |||
module: ejabberd_c2s | |||
starttls_required: true | |||
# For ejabberd < 17.12 | |||
# certfile: "/etc/ejabberd/certificate.pem" | |||
* For server-to-server connections: | |||
s2s_use_starttls: required | |||
# For ejabberd < 17.12 | |||
# s2s_certfile: "/etc/ejabberd/certificate.pem" | |||
Further help: | |||
* Homepage: [https://www.ejabberd.im/ ejabberd IM] | |||
* Chatroom: [xmpp:ejabberd@conference.process-one.net?join ejabberd@conference.process-one.net] | |||
* Documentation: [http://docs.ejabberd.im/admin/guide/ ejabberd Installation and Operation Guide] | |||
=== | ==== Prosody ==== | ||
Prosody is aiming to be secure by default, as of version 0.12.x no changes to the default configuration is required to enable or enforce encrypted connections. | |||
Further help: | |||
* Homepage: [https://prosody.im/ Prosody IM] | |||
* Chatroom: [https://prosody.im/chat/ prosody@conference.prosody.im] | |||
* Documentation: [https://prosody.im/doc/security Prosody.IM: Security] | |||
==== Metronome ==== | |||
In Metronome's latest development tip, encryption requirement is the default setting, as long as TLS capability | |||
is available, and no configuration change is needed. Otherwise ensure that ''metronome.cfg.lua'' contains the | |||
following settings in the global section of your configuration: | |||
c2s_require_encryption = true | |||
s2s_require_encryption = true | |||
Further help: | |||
* Homepage: [https://metronome.im Metronome IM] | |||
* Chatroom: [xmpp:grimoire@muc.metronome.im?join grimoire@muc.metronome.im] | |||
* Documentation: [https://metronome.im/documentation metronome.im/documentation] | |||
==== Tigase ==== | |||
See http://www.tigase.org/content/vhost-tls-required for more details: | |||
== | |||
=== | |||
See http://www.tigase.org/content/vhost-tls-required for more details | |||
--vhost-tls-required = true | --vhost-tls-required = true | ||
By default Tigase will read VHosts certificates from ''certs/'' subdirectory match domain name against .pem filename of the certificate. Alternatively configuration for particular vhost certificate could be specified explicitly in init.properties: | |||
basic-conf/virt-hosts-cert-<domain>=path/to/cert.pem | |||
TLS for s2s connection is enabled by default; no option to configure it as ''required'' (certain domains can be configured to skip TLS for s2s with following configuration. For more information: [http://www.tigase.org/content/s2s-skip-tls-hostnames --s2s-skip-tls-hostnames]): | |||
--s2s-skip-tls-hostnames = domain1,domain2 | |||
In order to have improved security Tigase features "[http://www.tigase.org/content/hardened-mode hardened mode]" which turns off workaround for SSL issues, turns off SSLv2, forces enabling more secure ciphers suites and also forces requirement of StartTLS. | |||
--hardened-mode=true | |||
Further help: | |||
* Homepage: [http://www.tigase.org/ Tigase.org] | |||
* Documentation: [http://www.tigase.org/admin-guide Admin guide] | |||
=== | ==== Openfire ==== | ||
# Open the Openfire administration console | |||
# Go to '''Server Settings''' under '''Server''' | |||
# Then open '''Security Settings''' in the list to the left | |||
# Check both radiobuttons labeled '''Required''' | |||
# Check the checkbox marked ''Accept self-signed certificates'' | |||
# Done! | |||
Further help: | |||
* Homepage: [http://igniterealtime.org/projects/openfire/ Openfire] | |||
* Chatroom: [xmpp:open_chat@conference.igniterealtime.org?join open_chat@conference.igniterealtime.org] | |||
* Documentation: [http://igniterealtime.org/projects/openfire/documentation.jsp Openfire documentation] | |||
=== | === Step 3: Check your XMPP Server Security === | ||
[http://xmpp.net/ Test your XMPP security] to be sure. | |||
= Encryption Manifesto (archived) = | |||
== Aim: Encrypt All XMPP Connections == | |||
This page provides instructions for XMPP server administrators to secure XMPP client and server connections ready for the following [https://github.com/stpeter/manifesto/blob/master/manifesto.txt ubiquitous encryption manifesto] test days: | |||
* January 4, 2014 - first test day requiring encryption | |||
* February 22, 2014 - second test day | |||
* March 22, 2014 - third test day | |||
* April 19, 2014 - fourth test day | |||
* May 19, 2014 - '''permanent upgrade''' to encrypted network | |||
To achieve this, we need to: | |||
* Encrypt connections between clients and servers (C2S) | |||
* Encrypt server to server connections (S2S) |
edits