Changes

Jump to navigation Jump to search
3,109 bytes added ,  15:40, 1 December 2013
m
no edit summary
'''Aim: Encrypt All XMPP Connections'''

This page provides instructions for XMPP server administrators to secure XMPP client and server connections ready for the following [https://github.com/stpeter/manifesto/blob/master/manifesto.txt ubiquitous encryption manifesto] test days:
* January 4, 2014 - first test day requiring encryption
* February 22, 2014 - second test day
* March 22, 2014 - third test day
* April 19, 2014 - fourth test day
* May 19, 2014 - '''permanent upgrade''' to encrypted network

To achieve this, we need to:
* encrypt connections between clients and servers (c2s)
* encrypt server to server connections (s2s)

== Step1: Get a server certificate==
Let's say you run an XMPP service for <code>example.com</code> (jids of user@example.com), you will need to order a certificate for with a subject or alt-name of <code>example.com</code> (not <code>servername.example.com</code>) from your preferred cert provider ([http://startssl.com/ StartSSL] offers free certificates and is quite good).

== Step 2: Configure your DNS ==
Ensure that the following DNS records are set:
_xmpp-server._tcp.example.com. 18000 IN SRV 0 5 5269 servername.example.com.
servername.example.com. 18000 A 10.10.10.10 # you must have an A record for your server

You can test your DNS setup at [http://xmpp.net xmpp.net]

== Step 3: Disable cleartext connections ==
These instructions will disable any cleartext communication between servers and client connections.

=== ejabberd ===
Configure ejabberd.conf
% Ordinary client-2-server service
[{5222, ejabberd_c2s, [{access, c2s},
starttls_required, {certfile, "/etc/ssl/certs/ejabberd.pem"},
{shaper, c2s_shaper}]},
% Use STARTTLS+Dialback for S2S connections
{s2s_use_starttls, true}.
{s2s_certfile, "/etc/ejabberd/ejabberd.pem"}.

=== Prosody ===
Ensure that ''prosody.cfg.lua'' contains the following settings in the [https://prosody.im/doc/configure#overview global section] of your config, or under the specific <code>VirtualHost</code> you want to secure:
c2s_require_encryption = true
s2s_require_encryption = true

Further help:
* Chatroom: [https://prosody.im/chat/ prosody@conference.prosody.im]
* Documentation: [https://prosody.im/doc/security Prosody.IM: Security]

=== Tigase ===
See http://www.tigase.org/content/vhost-tls-required for more details:
--vhost-tls-required = true

By default Tigase will read VHosts certificates from ''certs/'' subdirectory match domain name against .pem filename of the certificate. Alternatively configuration for particular vhost certificate could be specified explicitly in init.properties:
basic-conf/virt-hosts-cert-<domain>=path/to/cert.pem

* TLS for s2s connection is enabled by default; no option to configure it as ''required'' (certain domains can be configured to skip TLS for s2s with following configuration. For more information: [http://www.tigase.org/content/s2s-skip-tls-hostnames --s2s-skip-tls-hostnames]):
--s2s-skip-tls-hostnames = domain1,domain2

=== Openfire ===
???

== Step 4: Check your XMPP Security ==
[http://xmpp.net Test your XMPP security] to be sure.
190

edits

Navigation menu