Difference between revisions of "Securing XMPP"

From XMPP WIKI
Jump to navigation Jump to search
 
m
 
(49 intermediate revisions by 9 users not shown)
Line 1: Line 1:
This page provides instructions for XMPP server administrators to secure XMPP client and server connections.
== Clients ==
need to add something...


==Current Goals==
== Servers ==
An XMPP Server is considered secure when the following (minimum) items are present:
* The server is running with a server certificate
* The server is configured to not allow any cleartext communications - S2S and C2S
* The server supports XEP-198
* ...


The information on this page is designed to meet the following goals:
=== Step1: Get a server certificate===
Let's say you run an XMPP service for <code>domain.tld</code> (jids of user@domain.tld), you will need to order a certificate for with a subject or alt-name of <code>domain.tld</code> (not <code>server.domain.tld</code>) from your preferred cert provider. The certificate should also include alt-names for subomains such as <code>conference.domain.tld</code>, at least for services that should be accessible to remote users.


* encrypted connections between clients and servers (a.k.a. "c2s")
=== Step 2: Disable cleartext connections ===
* encrypted server to server connections (a.k.a. "s2s")
These instructions will disable any cleartext communication between servers and client connections.
* encryption working for virtual hosted XMPP environments (more than one domain per server)


Naturally, other goals might be appropriate now and in the future: end-to-end encryption for one-to-one messaging, file transfer, and voice/video (e.g., OTR and ZRTP); encryption of multi-user chatrooms; onion routing (e.g., Tor) for stanza routing; mix networks; password-free authentication; etc.
==== ejabberd ====
Make sure that your ''ejabberd.yml'' contains the [http://docs.ejabberd.im/admin/guide/configuration/#listening-ports following settings].


==Background==
* For ejabberd >= 17.12 list all available PEM files in this top-level option
certfiles:
  - "/etc/ejabberd/*.pem"


Although many IM clients can be configured to force encrypted connections for the c2s hop, XMPP does not encrypt connections by default (this is like using telnet instead of ssh to administer remote machines). Also, if you are communicating with someone at another server, there is no way to know if the s2s hop has been encrypted.
* For client-to-server connections:
listen:
  -
    port: 5222
    module: ejabberd_c2s
    starttls_required: true
    # For ejabberd < 17.12
    # certfile: "/etc/ejabberd/certificate.pem"


This page will show you how to enable encryption for your user's c2s connections and also to encrypt and authenticate s2s connections to remote domains.
* For server-to-server connections:
s2s_use_starttls: required
# For ejabberd < 17.12
# s2s_certfile: "/etc/ejabberd/certificate.pem"


===Get a server certificate===
Further help:
* Homepage: [https://www.ejabberd.im/ ejabberd IM]
* Chatroom: [xmpp:ejabberd@conference.process-one.net?join ejabberd@conference.process-one.net]
* Documentation: [http://docs.ejabberd.im/admin/guide/ ejabberd Installation and Operation Guide]


We will use example.com to illustrate.
==== Prosody ====
Prosody is aiming to be secure by default, as of version 0.12.x no changes to the default configuration is required to enable or enforce encrypted connections.


* order a certificate for example.com (not servername.example.com) from your preferred CA. For instance, [http://startssl.com/ StartSSL] offers free certificates.
Further help:
* Homepage: [https://prosody.im/ Prosody IM]
* Chatroom: [https://prosody.im/chat/ prosody@conference.prosody.im]
* Documentation: [https://prosody.im/doc/security Prosody.IM: Security]


===Configure your DNS===
==== Metronome ====
 
In Metronome's latest development tip, encryption requirement is the default setting, as long as TLS capability
Ensure that the following DNS records are set:
is available, and no configuration change is needed. Otherwise ensure that ''metronome.cfg.lua'' contains the
 
following settings in the global section of your configuration:
_xmpp-server._tcp.example.com. 18000 IN SRV 0 5 5269 servername.example.com.
  c2s_require_encryption = true
servername.example.com.        18000  A 10.10.10.10 # you must have an A record for your server
  s2s_require_encryption = true
 
You can test your DNS setup at http://protocol.buddycloud.com/
 
==Securing client connections==
 
Unless you have a very good reason, there's really no good reason to have clients connecting in clear text to their XMPP server (remember, this is like using telnet instead of ssh to maintain your server).
 
The following settings ensure that only encrypted connections are accepted.
 
=== eJabberd ===
 
% Ordinary client-2-server service
[{5222, ejabberd_c2s, [{access, c2s},
starttls_required, {certfile, "/etc/ssl/certs/ejabberd.pem"},
{shaper, c2s_shaper}]},
 
=== Prosody ===
 
Ensure mod_tls is enabled (this is the default):
 
modules_enabled = {
    -- Other modules
    "tls"; -- Enable mod_tls
}
 
Then look for c2s_require_encryption in your config, and set it to ''true'':
 
c2s_require_encryption = true
 
For more information see [http://prosody.im/doc/modules/mod_tls Prosody's mod_tls documentation].


=== Tigase ===
Further help:
* Homepage: [https://metronome.im Metronome IM]
* Chatroom: [xmpp:grimoire@muc.metronome.im?join grimoire@muc.metronome.im]
* Documentation: [https://metronome.im/documentation metronome.im/documentation]


See http://www.tigase.org/content/vhost-tls-required for more details
==== Tigase ====
See http://www.tigase.org/content/vhost-tls-required for more details:
  --vhost-tls-required = true
  --vhost-tls-required = true


Line 68: Line 68:
  basic-conf/virt-hosts-cert-<domain>=path/to/cert.pem
  basic-conf/virt-hosts-cert-<domain>=path/to/cert.pem


==Securing connections between XMPP servers==
TLS for s2s connection is enabled by default; no option to configure it as ''required'' (certain domains can be configured to skip TLS for s2s with following configuration. For more information: [http://www.tigase.org/content/s2s-skip-tls-hostnames --s2s-skip-tls-hostnames]):
 
--s2s-skip-tls-hostnames = domain1,domain2
There are two kinds of setups
# single domain
# server hosting multiple XMPP domains
 
=== Prosody (single domain) ===
 
* DNS: nothing to change
* Certificate: ensure that it matches your domain name (eg you should have a valid certificate for example.com)
 
Configuration
 
 
  c2s_require_encryption = true
  s2s_require_encryption = true
  s2s_secure_auth = true
  s2s_insecure_domains = { "gmail.com" }  -- Google doesn't support encrypted connections
  ssl                    = {
                          key        = "/etc/prosody/certs/example.org.pem";
                          certificate = "/etc/prosody/certs/example.org.pem";
                          cafile      = "/etc/prosody/certs/your-ca-cert(s).pem";
                          dhparam    = "/etc/prosody/certs/dh-2048.pem";
                          ciphers    = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:!RC4:HIGH:!MD5:!aNULL:!EDH";
                          options    = {"no_sslv2", "no_sslv3", "no_ticket", "no_compression"};
                          }
 
=== Prosody (secure delegation with DANE) ===
 
* DNS: You need to be working with a [http://www.icann.org/en/news/in-focus/dnssec/deployment registrar that supports DNSSEC]
* Certificate: which certificate do we need? - how do we setup DANE in the nameserver?
 
Configuration
 
modules_enabled = {
        ...
        "s2s_auth_dnssec_srv";
}
 
=== Ejabberd (single domain) ===
 
% Use STARTTLS+Dialback for S2S connections
{s2s_use_starttls, true}.
{s2s_certfile, "/etc/ejabberd/ejabberd.pem"}.
% Need a way to whitelist GTalk servers


=== Ejabberd (secure delegation for running multiple domains)===
In order to have improved security Tigase features "[http://www.tigase.org/content/hardened-mode hardened mode]" which turns off workaround for SSL issues, turns off SSLv2, forces enabling more secure ciphers suites and also forces requirement of StartTLS.
--hardened-mode=true


??? Does Ejabberd support DANE yet? Doesn't look promising.
Further help:
* Homepage: [http://www.tigase.org/ Tigase.org]
* Documentation: [http://www.tigase.org/admin-guide Admin guide]


=== Tigase (single domain) ===
==== Openfire ====
# Open the Openfire administration console
# Go to '''Server Settings''' under '''Server'''
# Then open '''Security Settings''' in the list to the left
# Check both radiobuttons labeled '''Required'''
# Check the checkbox marked ''Accept self-signed certificates''
# Done!


* TLS for s2s connection is enabled by default; no option to configure it as ''required''
Further help:
* certain domains can be configured to skip TLS for s2s with following configuration (more information: [http://www.tigase.org/content/s2s-skip-tls-hostnames --s2s-skip-tls-hostnames]):
* Homepage: [http://igniterealtime.org/projects/openfire/ Openfire]
  --s2s-skip-tls-hostnames = domain1,domain2
* Chatroom: [xmpp:open_chat@conference.igniterealtime.org?join open_chat@conference.igniterealtime.org]
* Documentation: [http://igniterealtime.org/projects/openfire/documentation.jsp Openfire documentation]


=== Tigase (secure delegation for running multiple domains) ===
=== Step 3: Check your XMPP Server Security ===
[http://xmpp.net/ Test your XMPP security] to be sure.


* certificate configuration is same as described in section [[#Securing client connections]]
= Encryption Manifesto (archived) =
* no support for DANE/DNSSEC
== Aim: Encrypt All XMPP Connections ==


=== Openfire ===
This page provides instructions for XMPP server administrators to secure XMPP client and server connections ready for the following [https://github.com/stpeter/manifesto/blob/master/manifesto.txt ubiquitous encryption manifesto] test days:
* January 4, 2014 - first test day requiring encryption
* February 22, 2014 - second test day
* March 22, 2014 - third test day
* April 19, 2014 - fourth test day
* May 19, 2014 - '''permanent upgrade''' to encrypted network


???
To achieve this, we need to:
* Encrypt connections between clients and servers (C2S)
* Encrypt server to server connections (S2S)

Latest revision as of 16:51, 26 December 2023

Clients

need to add something...

Servers

An XMPP Server is considered secure when the following (minimum) items are present:

  • The server is running with a server certificate
  • The server is configured to not allow any cleartext communications - S2S and C2S
  • The server supports XEP-198
  • ...

Step1: Get a server certificate

Let's say you run an XMPP service for domain.tld (jids of user@domain.tld), you will need to order a certificate for with a subject or alt-name of domain.tld (not server.domain.tld) from your preferred cert provider. The certificate should also include alt-names for subomains such as conference.domain.tld, at least for services that should be accessible to remote users.

Step 2: Disable cleartext connections

These instructions will disable any cleartext communication between servers and client connections.

ejabberd

Make sure that your ejabberd.yml contains the following settings.

  • For ejabberd >= 17.12 list all available PEM files in this top-level option
certfiles:
 - "/etc/ejabberd/*.pem"
  • For client-to-server connections:
listen:
  -
    port: 5222
    module: ejabberd_c2s
    starttls_required: true
    # For ejabberd < 17.12
    # certfile: "/etc/ejabberd/certificate.pem"
  • For server-to-server connections:
s2s_use_starttls: required
# For ejabberd < 17.12
# s2s_certfile: "/etc/ejabberd/certificate.pem"

Further help:

Prosody

Prosody is aiming to be secure by default, as of version 0.12.x no changes to the default configuration is required to enable or enforce encrypted connections.

Further help:

Metronome

In Metronome's latest development tip, encryption requirement is the default setting, as long as TLS capability is available, and no configuration change is needed. Otherwise ensure that metronome.cfg.lua contains the following settings in the global section of your configuration:

 c2s_require_encryption = true
 s2s_require_encryption = true

Further help:

Tigase

See http://www.tigase.org/content/vhost-tls-required for more details:

--vhost-tls-required = true

By default Tigase will read VHosts certificates from certs/ subdirectory match domain name against .pem filename of the certificate. Alternatively configuration for particular vhost certificate could be specified explicitly in init.properties:

basic-conf/virt-hosts-cert-<domain>=path/to/cert.pem

TLS for s2s connection is enabled by default; no option to configure it as required (certain domains can be configured to skip TLS for s2s with following configuration. For more information: --s2s-skip-tls-hostnames):

--s2s-skip-tls-hostnames = domain1,domain2

In order to have improved security Tigase features "hardened mode" which turns off workaround for SSL issues, turns off SSLv2, forces enabling more secure ciphers suites and also forces requirement of StartTLS.

--hardened-mode=true

Further help:

Openfire

  1. Open the Openfire administration console
  2. Go to Server Settings under Server
  3. Then open Security Settings in the list to the left
  4. Check both radiobuttons labeled Required
  5. Check the checkbox marked Accept self-signed certificates
  6. Done!

Further help:

Step 3: Check your XMPP Server Security

Test your XMPP security to be sure.

Encryption Manifesto (archived)

Aim: Encrypt All XMPP Connections

This page provides instructions for XMPP server administrators to secure XMPP client and server connections ready for the following ubiquitous encryption manifesto test days:

  • January 4, 2014 - first test day requiring encryption
  • February 22, 2014 - second test day
  • March 22, 2014 - third test day
  • April 19, 2014 - fourth test day
  • May 19, 2014 - permanent upgrade to encrypted network

To achieve this, we need to:

  • Encrypt connections between clients and servers (C2S)
  • Encrypt server to server connections (S2S)