Difference between revisions of "Securing XMPP"

From XMPP WIKI
Jump to navigation Jump to search
 
(→‎Prosody: Remove s2s_insecure_domains, it has no effect here, and add link to docs)
(13 intermediate revisions by the same user not shown)
Line 1: Line 1:
This page provides instructions for XMPP server administrators to secure XMPP client and server connections.
'''Aim: Encrypt All XMPP Connections'''


==Current Goals==
This page provides instructions for XMPP server administrators to secure XMPP client and server connections ready for the following [https://github.com/stpeter/manifesto/blob/master/manifesto.txt ubiquitous encryption manifesto] test days:


The information on this page is designed to meet the following goals:
* January 4, 2014 - first test day requiring encryption
* February 22, 2014 - second test day
* March 22, 2014 - third test day
* April 19, 2014 - fourth test day
* May 19, 2014 - '''permanent upgrade''' to encrypted network


* encrypted connections between clients and servers (a.k.a. "c2s")
To achieve this, we need to:
* encrypted server to server connections (a.k.a. "s2s")
* encryption working for virtual hosted XMPP environments (more than one domain per server)


Naturally, other goals might be appropriate now and in the future: end-to-end encryption for one-to-one messaging, file transfer, and voice/video (e.g., OTR and ZRTP); encryption of multi-user chatrooms; onion routing (e.g., Tor) for stanza routing; mix networks; password-free authentication; etc.
* encrypt connections between clients and servers (c2s)
* encrypt server to server connections (s2s)


==Background==
== Step1: Get a server certificate==


Although many IM clients can be configured to force encrypted connections for the c2s hop, XMPP does not encrypt connections by default (this is like using telnet instead of ssh to administer remote machines). Also, if you are communicating with someone at another server, there is no way to know if the s2s hop has been encrypted.
Let's say you run an XMPP service for <code>example.com</code> (jids of user@example.com), you will need to order a certificate for with a subject or alt-name of <code>example.com</code> (not <code>servername.example.com</code>) from your preferred cert provider ([http://startssl.com/ StartSSL] offers free certificates and is quite good)


This page will show you how to enable encryption for your user's c2s connections and also to encrypt and authenticate s2s connections to remote domains.
== Step 2: Configure your DNS ==
 
===Get a server certificate===
 
We will use example.com to illustrate.
 
* order a certificate for example.com (not servername.example.com) from your preferred CA. For instance, [http://startssl.com/ StartSSL] offers free certificates.
 
===Configure your DNS===


Ensure that the following DNS records are set:
Ensure that the following DNS records are set:
Line 30: Line 25:
  servername.example.com.        18000  A 10.10.10.10 # you must have an A record for your server
  servername.example.com.        18000  A 10.10.10.10 # you must have an A record for your server


You can test your DNS setup at http://protocol.buddycloud.com/
You can test your DNS setup at [http://xmpp.net xmpp.net]


==Securing client connections==
== Step 3: Only permit encrypted connections ==


Unless you have a very good reason, there's really no good reason to have clients connecting in clear text to their XMPP server (remember, this is like using telnet instead of ssh to maintain your server).
=== eJabberd ===
 
The following settings ensure that only encrypted connections are accepted.


=== eJabberd ===
Configure ejabberd.conf


  % Ordinary client-2-server service
  % Ordinary client-2-server service
Line 44: Line 37:
  starttls_required, {certfile, "/etc/ssl/certs/ejabberd.pem"},
  starttls_required, {certfile, "/etc/ssl/certs/ejabberd.pem"},
  {shaper, c2s_shaper}]},
  {shaper, c2s_shaper}]},
% Use STARTTLS+Dialback for S2S connections
{s2s_use_starttls, true}.
{s2s_certfile, "/etc/ejabberd/ejabberd.pem"}.


=== Prosody ===
=== Prosody ===


Ensure mod_tls is enabled (this is the default):
Ensure that prosody.conf.lua contains the following settings against each <code>VirtualHost</code>:


modules_enabled = {
  c2s_require_encryption = true
    -- Other modules
  s2s_require_encryption = true
    "tls"; -- Enable mod_tls
}


Then look for c2s_require_encryption in your config, and set it to ''true'':
Further help:


c2s_require_encryption = true
* Chatroom: [https://prosody.im/chat/ prosody@conference.prosody.im]
 
* Documentation: [https://prosody.im/doc/security Prosody.IM: Security]
For more information see [http://prosody.im/doc/modules/mod_tls Prosody's mod_tls documentation].


=== Tigase ===
=== Tigase ===
Line 66: Line 59:


By default Tigase will read VHosts certificates from ''certs/'' subdirectory match domain name against .pem filename of the certificate. Alternatively configuration for particular vhost certificate could be specified explicitly in init.properties:
By default Tigase will read VHosts certificates from ''certs/'' subdirectory match domain name against .pem filename of the certificate. Alternatively configuration for particular vhost certificate could be specified explicitly in init.properties:
  basic-conf/virt-hosts-cert-<domain>=path/to/cert.pem
  basic-conf/virt-hosts-cert-<domain>=path/to/cert.pem


==Securing connections between XMPP servers==
* TLS for s2s connection is enabled by default; no option to configure it as ''required'' (certain domains can be configured to skip TLS for s2s with following configuration. For more information: [http://www.tigase.org/content/s2s-skip-tls-hostnames --s2s-skip-tls-hostnames]):
 
--s2s-skip-tls-hostnames = domain1,domain2
There are two kinds of setups
# single domain
# server hosting multiple XMPP domains
 
=== Prosody (single domain) ===
 
* DNS: nothing to change
* Certificate: ensure that it matches your domain name (eg you should have a valid certificate for example.com)
 
Configuration
 
 
  c2s_require_encryption = true
  s2s_require_encryption = true
  s2s_secure_auth = true
  s2s_insecure_domains = { "gmail.com" }  -- Google doesn't support encrypted connections
  ssl                    = {
                          key        = "/etc/prosody/certs/example.org.pem";
                          certificate = "/etc/prosody/certs/example.org.pem";
                          cafile      = "/etc/prosody/certs/your-ca-cert(s).pem";
                          dhparam    = "/etc/prosody/certs/dh-2048.pem";
                          ciphers    = "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:!RC4:HIGH:!MD5:!aNULL:!EDH";
                          options    = {"no_sslv2", "no_sslv3", "no_ticket", "no_compression"};
                          }
 
=== Prosody (secure delegation with DANE) ===
 
* DNS: You need to be working with a [http://www.icann.org/en/news/in-focus/dnssec/deployment registrar that supports DNSSEC]
* Certificate: which certificate do we need? - how do we setup DANE in the nameserver?
 
Configuration
 
modules_enabled = {
        ...
        "s2s_auth_dnssec_srv";
}
 
=== Ejabberd (single domain) ===
 
% Use STARTTLS+Dialback for S2S connections
{s2s_use_starttls, true}.
{s2s_certfile, "/etc/ejabberd/ejabberd.pem"}.
% Need a way to whitelist GTalk servers
 
=== Ejabberd (secure delegation for running multiple domains)===
 
??? Does Ejabberd support DANE yet? Doesn't look promising.
 
=== Tigase (single domain) ===
 
* TLS for s2s connection is enabled by default; no option to configure it as ''required''
* certain domains can be configured to skip TLS for s2s with following configuration (more information: [http://www.tigase.org/content/s2s-skip-tls-hostnames --s2s-skip-tls-hostnames]):
  --s2s-skip-tls-hostnames = domain1,domain2
 
=== Tigase (secure delegation for running multiple domains) ===
 
* certificate configuration is same as described in section [[#Securing client connections]]
* no support for DANE/DNSSEC


=== Openfire ===
=== Openfire ===


???
???

Revision as of 19:05, 21 November 2013

Aim: Encrypt All XMPP Connections

This page provides instructions for XMPP server administrators to secure XMPP client and server connections ready for the following ubiquitous encryption manifesto test days:

  • January 4, 2014 - first test day requiring encryption
  • February 22, 2014 - second test day
  • March 22, 2014 - third test day
  • April 19, 2014 - fourth test day
  • May 19, 2014 - permanent upgrade to encrypted network

To achieve this, we need to:

  • encrypt connections between clients and servers (c2s)
  • encrypt server to server connections (s2s)

Step1: Get a server certificate

Let's say you run an XMPP service for example.com (jids of user@example.com), you will need to order a certificate for with a subject or alt-name of example.com (not servername.example.com) from your preferred cert provider (StartSSL offers free certificates and is quite good)

Step 2: Configure your DNS

Ensure that the following DNS records are set: 

_xmpp-server._tcp.example.com. 18000 IN SRV 0 5 5269 servername.example.com. 
servername.example.com.        18000  A 10.10.10.10 # you must have an A record for your server

You can test your DNS setup at xmpp.net

Step 3: Only permit encrypted connections

eJabberd

Configure ejabberd.conf 

% Ordinary client-2-server service
[{5222, ejabberd_c2s, [{access, c2s},
starttls_required, {certfile, "/etc/ssl/certs/ejabberd.pem"},
{shaper, c2s_shaper}]},
% Use STARTTLS+Dialback for S2S connections
{s2s_use_starttls, true}.
{s2s_certfile, "/etc/ejabberd/ejabberd.pem"}.

Prosody

Ensure that prosody.conf.lua contains the following settings against each VirtualHost: 

 c2s_require_encryption = true
 s2s_require_encryption = true

Further help:

Tigase

See http://www.tigase.org/content/vhost-tls-required for more details 

--vhost-tls-required = true

By default Tigase will read VHosts certificates from certs/ subdirectory match domain name against .pem filename of the certificate. Alternatively configuration for particular vhost certificate could be specified explicitly in init.properties: 

basic-conf/virt-hosts-cert-<domain>=path/to/cert.pem
  • TLS for s2s connection is enabled by default; no option to configure it as required (certain domains can be configured to skip TLS for s2s with following configuration. For more information: --s2s-skip-tls-hostnames):
--s2s-skip-tls-hostnames = domain1,domain2

Openfire

???

Retrieved from "https://wiki.xmpp.org/web/index.php?title=Securing_XMPP&oldid=6346"