Difference between revisions of "Securing XMPP"
(→Openfire: Click is a silly word) |
(→Tigase) |
||
| (One intermediate revision by the same user not shown) | |||
| Line 1: | Line 1: | ||
== Aim: Encrypt All XMPP Connections == | |||
This page provides instructions for XMPP server administrators to secure XMPP client and server connections ready for the following [https://github.com/stpeter/manifesto/blob/master/manifesto.txt ubiquitous encryption manifesto] test days: | This page provides instructions for XMPP server administrators to secure XMPP client and server connections ready for the following [https://github.com/stpeter/manifesto/blob/master/manifesto.txt ubiquitous encryption manifesto] test days: | ||
| Line 9: | Line 9: | ||
To achieve this, we need to: | To achieve this, we need to: | ||
* Encrypt connections between clients and servers ( | * Encrypt connections between clients and servers (C2S) | ||
* Encrypt server to server connections ( | * Encrypt server to server connections (S2S) | ||
== Step1: Get a server certificate== | == Step1: Get a server certificate== | ||
Let's say you run an XMPP service for <code>example. | Let's say you run an XMPP service for <code>example.net</code> (jids of user@example.net), you will need to order a certificate for with a subject or alt-name of <code>example.net</code> (not <code>server.example.net</code>) from your preferred cert provider ([http://startssl.com/ StartSSL] offers free certificates and is quite good). | ||
== Step 2: Configure your DNS == | == Step 2: Configure your DNS == | ||
Ensure that the following DNS records are set: | Ensure that the following DNS records are set: | ||
_xmpp-server._tcp.example. | _xmpp-server._tcp.example.net. 18000 IN SRV 0 5 5269 server.example.net. | ||
server.example.net. 18000 A 10.10.10.10 # you must have an A record for your server. | |||
More informations on [[SRV Records]] page. | |||
You may also want to [[Securing DNS|Secure your DNS with DNSSEC]] | You can test your DNS setup at [http://xmpp.net/ xmpp.net]. | ||
You may also want to [[Securing DNS|Secure your DNS with DNSSEC]]. | |||
== Step 3: Disable cleartext connections == | == Step 3: Disable cleartext connections == | ||
| Line 53: | Line 55: | ||
basic-conf/virt-hosts-cert-<domain>=path/to/cert.pem | basic-conf/virt-hosts-cert-<domain>=path/to/cert.pem | ||
TLS for s2s connection is enabled by default; no option to configure it as ''required'' (certain domains can be configured to skip TLS for s2s with following configuration. For more information: [http://www.tigase.org/content/s2s-skip-tls-hostnames --s2s-skip-tls-hostnames]): | |||
--s2s-skip-tls-hostnames = domain1,domain2 | --s2s-skip-tls-hostnames = domain1,domain2 | ||
In order to have improved security Tigase features [http://www.tigase.org/content/hardened-mode 'hardened mode'] which turns off workaround for SSL issues, turns off SSLv2, forces enabling more secure ciphers suites and also forces requirement of StartTLS. | |||
--hardened-mode=true | |||
=== Openfire === | === Openfire === | ||
# Open the Openfire administration console | # Open the Openfire administration console | ||
# Go to '''Server Settings''' under '''Server''' | # Go to '''Server Settings''' under '''Server''' | ||
| Line 66: | Line 70: | ||
== Step 4: Check your XMPP Security == | == Step 4: Check your XMPP Security == | ||
[http://xmpp.net Test your XMPP security] to be sure. | [http://xmpp.net/ Test your XMPP security] to be sure. | ||
Revision as of 09:01, 16 January 2014
Aim: Encrypt All XMPP Connections
This page provides instructions for XMPP server administrators to secure XMPP client and server connections ready for the following ubiquitous encryption manifesto test days:
- January 4, 2014 - first test day requiring encryption
- February 22, 2014 - second test day
- March 22, 2014 - third test day
- April 19, 2014 - fourth test day
- May 19, 2014 - permanent upgrade to encrypted network
To achieve this, we need to:
- Encrypt connections between clients and servers (C2S)
- Encrypt server to server connections (S2S)
Step1: Get a server certificate
Let's say you run an XMPP service for example.net (jids of user@example.net), you will need to order a certificate for with a subject or alt-name of example.net (not server.example.net) from your preferred cert provider (StartSSL offers free certificates and is quite good).
Step 2: Configure your DNS
Ensure that the following DNS records are set:
_xmpp-server._tcp.example.net. 18000 IN SRV 0 5 5269 server.example.net. server.example.net. 18000 A 10.10.10.10 # you must have an A record for your server.
More informations on SRV Records page.
You can test your DNS setup at xmpp.net.
You may also want to Secure your DNS with DNSSEC.
Step 3: Disable cleartext connections
These instructions will disable any cleartext communication between servers and client connections.
ejabberd
Configure ejabberd.conf
% Ordinary client-2-server service
[{5222, ejabberd_c2s, [{access, c2s},
starttls_required, {certfile, "/etc/ssl/certs/ejabberd.pem"},
{shaper, c2s_shaper}]},
% Use STARTTLS+Dialback for S2S connections
{s2s_use_starttls, true}.
{s2s_certfile, "/etc/ejabberd/ejabberd.pem"}.
Prosody
Ensure that prosody.cfg.lua contains the following settings in the global section of your config, or under the specific VirtualHost you want to secure:
c2s_require_encryption = true s2s_require_encryption = true
Further help:
- Chatroom: prosody@conference.prosody.im
- Documentation: Prosody.IM: Security
Tigase
See http://www.tigase.org/content/vhost-tls-required for more details:
--vhost-tls-required = true
By default Tigase will read VHosts certificates from certs/ subdirectory match domain name against .pem filename of the certificate. Alternatively configuration for particular vhost certificate could be specified explicitly in init.properties:
basic-conf/virt-hosts-cert-<domain>=path/to/cert.pem
TLS for s2s connection is enabled by default; no option to configure it as required (certain domains can be configured to skip TLS for s2s with following configuration. For more information: --s2s-skip-tls-hostnames):
--s2s-skip-tls-hostnames = domain1,domain2
In order to have improved security Tigase features 'hardened mode' which turns off workaround for SSL issues, turns off SSLv2, forces enabling more secure ciphers suites and also forces requirement of StartTLS.
--hardened-mode=true
Openfire
- Open the Openfire administration console
- Go to Server Settings under Server
- Then open Security Settings in the list to the left
- Check both radiobuttons labeled Required
- Check the checkbox marked Accept self-signed certificates
- Done!
Step 4: Check your XMPP Security
Test your XMPP security to be sure.