Jump to navigation Jump to search
3,109 bytes added ,  15:40, 1 December 2013
no edit summary
'''Aim: Encrypt All XMPP Connections'''

This page provides instructions for XMPP server administrators to secure XMPP client and server connections ready for the following [ ubiquitous encryption manifesto] test days:
* January 4, 2014 - first test day requiring encryption
* February 22, 2014 - second test day
* March 22, 2014 - third test day
* April 19, 2014 - fourth test day
* May 19, 2014 - '''permanent upgrade''' to encrypted network

To achieve this, we need to:
* encrypt connections between clients and servers (c2s)
* encrypt server to server connections (s2s)

== Step1: Get a server certificate==
Let's say you run an XMPP service for <code></code> (jids of, you will need to order a certificate for with a subject or alt-name of <code></code> (not <code></code>) from your preferred cert provider ([ StartSSL] offers free certificates and is quite good).

== Step 2: Configure your DNS ==
Ensure that the following DNS records are set: 18000 IN SRV 0 5 5269 18000 A # you must have an A record for your server

You can test your DNS setup at []

== Step 3: Disable cleartext connections ==
These instructions will disable any cleartext communication between servers and client connections.

=== ejabberd ===
Configure ejabberd.conf
% Ordinary client-2-server service
[{5222, ejabberd_c2s, [{access, c2s},
starttls_required, {certfile, "/etc/ssl/certs/ejabberd.pem"},
{shaper, c2s_shaper}]},
% Use STARTTLS+Dialback for S2S connections
{s2s_use_starttls, true}.
{s2s_certfile, "/etc/ejabberd/ejabberd.pem"}.

=== Prosody ===
Ensure that ''prosody.cfg.lua'' contains the following settings in the [ global section] of your config, or under the specific <code>VirtualHost</code> you want to secure:
c2s_require_encryption = true
s2s_require_encryption = true

Further help:
* Chatroom: []
* Documentation: [ Prosody.IM: Security]

=== Tigase ===
See for more details:
--vhost-tls-required = true

By default Tigase will read VHosts certificates from ''certs/'' subdirectory match domain name against .pem filename of the certificate. Alternatively configuration for particular vhost certificate could be specified explicitly in

* TLS for s2s connection is enabled by default; no option to configure it as ''required'' (certain domains can be configured to skip TLS for s2s with following configuration. For more information: [ --s2s-skip-tls-hostnames]):
--s2s-skip-tls-hostnames = domain1,domain2

=== Openfire ===

== Step 4: Check your XMPP Security ==
[ Test your XMPP security] to be sure.


Navigation menu