Difference between revisions of "Securing XMPP"

Securing XMPP (view source)

Revision as of 11:31, 2 April 2018

2,119 bytes added , 11:31, 2 April 2018

m

→‎Metronome: Correct broken links

Maranda

2

edits

@@ Line 1: / Line 1: @@
-'''Aim: Encrypt All XMPP Connections'''
+== Clients ==
+need to add something...
-This page provides instructions for XMPP server administrators to secure XMPP client and server connections ready for the following [https://github.com/stpeter/manifesto/blob/master/manifesto.txt ubiquitous encryption manifesto] test days:
+== Servers ==
-* January 4, 2014 - first test day requiring encryption
+An XMPP Server is considered secure when the following (minimum) items are present:
-* February 22, 2014 - second test day
+* The server is running with a server certificate
-* March 22, 2014 - third test day
+* The server is configured to not allow any cleartext communications - S2S and C2S
-* April 19, 2014 - fourth test day
+* The server supports XEP-198
-* May 19, 2014 - '''permanent upgrade''' to encrypted network
+* ...
+=== Step1: Get a server certificate===
+Let's say you run an XMPP service for <code>example.net</code> (jids of user@example.net), you will need to order a certificate for with a subject or alt-name of <code>example.net</code> (not <code>server.example.net</code>) from your preferred cert provider.
-To achieve this, we need to:
+=== Step 2: Disable cleartext connections ===
-* Encrypt connections between clients and servers (c2s)
+These instructions will disable any cleartext communication between servers and client connections.
-* Encrypt server to server connections (s2s)
-== Step1: Get a server certificate==
+==== ejabberd ====
-Let's say you run an XMPP service for <code>example.com</code> (jids of user@example.com), you will need to order a certificate for with a subject or alt-name of <code>example.com</code> (not <code>servername.example.com</code>) from your preferred cert provider ([http://startssl.com/ StartSSL] offers free certificates and is quite good).
+Make sure that your ''ejabberd.yml'' contains the [http://docs.ejabberd.im/admin/guide/configuration/#listening-ports following settings].
-== Step 2: Configure your DNS ==
+* For ejabberd >= 17.12 list all available PEM files in this top-level option
-Ensure that the following DNS records are set:
+ certfiles:
- _xmpp-server._tcp.example.com. 18000 IN SRV 0 5 5269 servername.example.com.
+  - "/etc/ejabberd/*.pem"
- servername.example.com.        18000  A 10.10.10.10 # you must have an A record for your server
-You can test your DNS setup at [http://xmpp.net xmpp.net]
+* For client-to-server connections:
+ listen:
+   -
+     port: 5222
+     module: ejabberd_c2s
+     starttls_required: true
+     # For ejabberd < 17.12
+     # certfile: "/etc/ejabberd/certificate.pem"
-== Step 3: Disable cleartext connections ==
+* For server-to-server connections:
-These instructions will disable any cleartext communication between servers and client connections.
+ s2s_use_starttls: required
+ # For ejabberd < 17.12
+ # s2s_certfile: "/etc/ejabberd/certificate.pem"
-=== ejabberd ===
+Further help:
-Configure ejabberd.conf
+* Homepage: [https://www.ejabberd.im/ ejabberd IM]
- % Ordinary client-2-server service
+* Chatroom: [xmpp:ejabberd@conference.process-one.net?join ejabberd@conference.process-one.net]
- [{5222, ejabberd_c2s, [{access, c2s},
+* Documentation: [http://docs.ejabberd.im/admin/guide/ ejabberd Installation and Operation Guide]
- starttls_required, {certfile, "/etc/ssl/certs/ejabberd.pem"},
- {shaper, c2s_shaper}]},
- % Use STARTTLS+Dialback for S2S connections
- {s2s_use_starttls, true}.
- {s2s_certfile, "/etc/ejabberd/ejabberd.pem"}.
-=== Prosody ===
+==== Prosody ====
 Ensure that ''prosody.cfg.lua'' contains the following settings in the [https://prosody.im/doc/configure#overview global section] of your config, or under the specific <code>VirtualHost</code> you want to secure:
    c2s_require_encryption = true
@@ Line 41: / Line 47: @@
 Further help:
+* Homepage: [https://prosody.im/ Prosody IM]
 * Chatroom: [https://prosody.im/chat/ prosody@conference.prosody.im]
 * Documentation: [https://prosody.im/doc/security Prosody.IM: Security]
-=== Tigase ===
+==== Metronome ====
+In Metronome's latest development tip, encryption requirement is the default setting, as long as TLS capability
+is available, and no configuration change is needed. Otherwise ensure that ''metronome.cfg.lua'' contains the
+following settings in the global section of your configuration:
+  c2s_require_encryption = true
+  s2s_require_encryption = true
+Further help:
+* Homepage: [https://metronome.im Metronome IM]
+* Chatroom: [xmpp:grimoire@muc.metronome.im?join grimoire@muc.metronome.im]
+* Documentation: [https://metronome.im/documentation metronome.im/documentation]
+==== Tigase ====
 See http://www.tigase.org/content/vhost-tls-required for more details:
   --vhost-tls-required = true
@@ Line 51: / Line 70: @@
   basic-conf/virt-hosts-cert-<domain>=path/to/cert.pem
-* TLS for s2s connection is enabled by default; no option to configure it as ''required'' (certain domains can be configured to skip TLS for s2s with following configuration. For more information: [http://www.tigase.org/content/s2s-skip-tls-hostnames --s2s-skip-tls-hostnames]):
+TLS for s2s connection is enabled by default; no option to configure it as ''required'' (certain domains can be configured to skip TLS for s2s with following configuration. For more information: [http://www.tigase.org/content/s2s-skip-tls-hostnames --s2s-skip-tls-hostnames]):
   --s2s-skip-tls-hostnames = domain1,domain2
-=== Openfire ===
+In order to have improved security Tigase features "[http://www.tigase.org/content/hardened-mode hardened mode]" which turns off workaround for SSL issues, turns off SSLv2, forces enabling more secure ciphers suites and also forces requirement of StartTLS.
-???
+ --hardened-mode=true
-== Step 4: Check your XMPP Security ==
+Further help:
-[http://xmpp.net Test your XMPP security] to be sure.
+* Homepage: [http://www.tigase.org/ Tigase.org]
+* Documentation: [http://www.tigase.org/admin-guide Admin guide]
+==== Openfire ====
+# Open the Openfire administration console
+# Go to '''Server Settings''' under '''Server'''
+# Then open '''Security Settings''' in the list to the left
+# Check both radiobuttons labeled '''Required'''
+# Check the checkbox marked ''Accept self-signed certificates''
+# Done!
+Further help:
+* Homepage: [http://igniterealtime.org/projects/openfire/ Openfire]
+* Chatroom: [xmpp:open_chat@conference.igniterealtime.org?join open_chat@conference.igniterealtime.org]
+* Documentation: [http://igniterealtime.org/projects/openfire/documentation.jsp Openfire documentation]
+=== Step 3: Check your XMPP Server Security ===
+[http://xmpp.net/ Test your XMPP security] to be sure.
+= Encryption Manifesto (archived) =
+== Aim: Encrypt All XMPP Connections ==
+This page provides instructions for XMPP server administrators to secure XMPP client and server connections ready for the following [https://github.com/stpeter/manifesto/blob/master/manifesto.txt ubiquitous encryption manifesto] test days:
+* January 4, 2014 - first test day requiring encryption
+* February 22, 2014 - second test day
+* March 22, 2014 - third test day
+* April 19, 2014 - fourth test day
+* May 19, 2014 - '''permanent upgrade''' to encrypted network
+To achieve this, we need to:
+* Encrypt connections between clients and servers (C2S)
+* Encrypt server to server connections (S2S)

Difference between revisions of "Securing XMPP"

Securing XMPP (view source)

Revision as of 11:31, 2 April 2018

Navigation menu

Search