Difference between revisions of "Securing XMPP"

From XMPP WIKI
Jump to navigation Jump to search
(→‎Prosody: Manifesto says to fallback to dialback, s2s_secure_auth would disable that)
 
m (→‎Metronome: Correct broken links)
(22 intermediate revisions by 7 users not shown)
Line 1: Line 1:
'''Aim: Encrypt All XMPP Connections'''
== Clients ==
need to add something...


This page provides instructions for XMPP server administrators to secure XMPP client and server connections ready for the following [https://github.com/stpeter/manifesto/blob/master/manifesto.txt ubiquitous encryption manifesto] test days:
== Servers ==
* January 4, 2014 - first test day requiring encryption
An XMPP Server is considered secure when the following (minimum) items are present:
* February 22, 2014 - second test day
* The server is running with a server certificate
* March 22, 2014 - third test day
* The server is configured to not allow any cleartext communications - S2S and C2S
* April 19, 2014 - fourth test day
* The server supports XEP-198
* May 19, 2014 - '''permanent upgrade''' to encrypted network
* ...


To achieve this, we need to:
=== Step1: Get a server certificate===
* Encrypt connections between clients and servers (c2s)
Let's say you run an XMPP service for <code>example.net</code> (jids of user@example.net), you will need to order a certificate for with a subject or alt-name of <code>example.net</code> (not <code>server.example.net</code>) from your preferred cert provider.
* Encrypt server to server connections (s2s)


== Step1: Get a server certificate==
=== Step 2: Disable cleartext connections ===
Let's say you run an XMPP service for <code>example.com</code> (jids of user@example.com), you will need to order a certificate for with a subject or alt-name of <code>example.com</code> (not <code>servername.example.com</code>) from your preferred cert provider ([http://startssl.com/ StartSSL] offers free certificates and is quite good).
These instructions will disable any cleartext communication between servers and client connections.


== Step 2: Configure your DNS ==
==== ejabberd ====
Ensure that the following DNS records are set:
Make sure that your ''ejabberd.yml'' contains the [http://docs.ejabberd.im/admin/guide/configuration/#listening-ports following settings].
_xmpp-server._tcp.example.com. 18000 IN SRV 0 5 5269 servername.example.com.
servername.example.com.        18000  A 10.10.10.10 # you must have an A record for your server


You can test your DNS setup at [http://xmpp.net xmpp.net]
* For ejabberd >= 17.12 list all available PEM files in this top-level option
certfiles:
  - "/etc/ejabberd/*.pem"


You may also want to [[Securing DNS|Secure your DNS with DNSSEC]]
* For client-to-server connections:
listen:
  -
    port: 5222
    module: ejabberd_c2s
    starttls_required: true
    # For ejabberd < 17.12
    # certfile: "/etc/ejabberd/certificate.pem"


== Step 3: Disable cleartext connections ==
* For server-to-server connections:
These instructions will disable any cleartext communication between servers and client connections.
s2s_use_starttls: required
# For ejabberd < 17.12
# s2s_certfile: "/etc/ejabberd/certificate.pem"


=== ejabberd ===
Further help:
Configure ejabberd.conf
* Homepage: [https://www.ejabberd.im/ ejabberd IM]
% Ordinary client-2-server service
* Chatroom: [xmpp:ejabberd@conference.process-one.net?join ejabberd@conference.process-one.net]
[{5222, ejabberd_c2s, [{access, c2s},
* Documentation: [http://docs.ejabberd.im/admin/guide/ ejabberd Installation and Operation Guide]
starttls_required, {certfile, "/etc/ssl/certs/ejabberd.pem"},
{shaper, c2s_shaper}]},
% Use STARTTLS+Dialback for S2S connections
{s2s_use_starttls, true}.
{s2s_certfile, "/etc/ejabberd/ejabberd.pem"}.


=== Prosody ===
==== Prosody ====
Ensure that ''prosody.cfg.lua'' contains the following settings in the [https://prosody.im/doc/configure#overview global section] of your config, or under the specific <code>VirtualHost</code> you want to secure:
Ensure that ''prosody.cfg.lua'' contains the following settings in the [https://prosody.im/doc/configure#overview global section] of your config, or under the specific <code>VirtualHost</code> you want to secure:
   c2s_require_encryption = true
   c2s_require_encryption = true
Line 43: Line 47:


Further help:
Further help:
* Homepage: [https://prosody.im/ Prosody IM]
* Chatroom: [https://prosody.im/chat/ prosody@conference.prosody.im]
* Chatroom: [https://prosody.im/chat/ prosody@conference.prosody.im]
* Documentation: [https://prosody.im/doc/security Prosody.IM: Security]
* Documentation: [https://prosody.im/doc/security Prosody.IM: Security]


=== Tigase ===
==== Metronome ====
In Metronome's latest development tip, encryption requirement is the default setting, as long as TLS capability
is available, and no configuration change is needed. Otherwise ensure that ''metronome.cfg.lua'' contains the
following settings in the global section of your configuration:
  c2s_require_encryption = true
  s2s_require_encryption = true
 
Further help:
* Homepage: [https://metronome.im Metronome IM]
* Chatroom: [xmpp:grimoire@muc.metronome.im?join grimoire@muc.metronome.im]
* Documentation: [https://metronome.im/documentation metronome.im/documentation]
 
==== Tigase ====
See http://www.tigase.org/content/vhost-tls-required for more details:
See http://www.tigase.org/content/vhost-tls-required for more details:
  --vhost-tls-required = true
  --vhost-tls-required = true
Line 53: Line 70:
  basic-conf/virt-hosts-cert-<domain>=path/to/cert.pem
  basic-conf/virt-hosts-cert-<domain>=path/to/cert.pem


* TLS for s2s connection is enabled by default; no option to configure it as ''required'' (certain domains can be configured to skip TLS for s2s with following configuration. For more information: [http://www.tigase.org/content/s2s-skip-tls-hostnames --s2s-skip-tls-hostnames]):
TLS for s2s connection is enabled by default; no option to configure it as ''required'' (certain domains can be configured to skip TLS for s2s with following configuration. For more information: [http://www.tigase.org/content/s2s-skip-tls-hostnames --s2s-skip-tls-hostnames]):
  --s2s-skip-tls-hostnames = domain1,domain2
  --s2s-skip-tls-hostnames = domain1,domain2


=== Openfire ===
In order to have improved security Tigase features "[http://www.tigase.org/content/hardened-mode hardened mode]" which turns off workaround for SSL issues, turns off SSLv2, forces enabling more secure ciphers suites and also forces requirement of StartTLS.
???
--hardened-mode=true
 
Further help:
* Homepage: [http://www.tigase.org/ Tigase.org]
* Documentation: [http://www.tigase.org/admin-guide Admin guide]
 
==== Openfire ====
# Open the Openfire administration console
# Go to '''Server Settings''' under '''Server'''
# Then open '''Security Settings''' in the list to the left
# Check both radiobuttons labeled '''Required'''
# Check the checkbox marked ''Accept self-signed certificates''
# Done!
 
Further help:
* Homepage: [http://igniterealtime.org/projects/openfire/ Openfire]
* Chatroom: [xmpp:open_chat@conference.igniterealtime.org?join open_chat@conference.igniterealtime.org]
* Documentation: [http://igniterealtime.org/projects/openfire/documentation.jsp Openfire documentation]
 
=== Step 3: Check your XMPP Server Security ===
[http://xmpp.net/ Test your XMPP security] to be sure.
 
= Encryption Manifesto (archived) =
== Aim: Encrypt All XMPP Connections ==


== Step 4: Check your XMPP Security ==
This page provides instructions for XMPP server administrators to secure XMPP client and server connections ready for the following [https://github.com/stpeter/manifesto/blob/master/manifesto.txt ubiquitous encryption manifesto] test days:
[http://xmpp.net Test your XMPP security] to be sure.
* January 4, 2014 - first test day requiring encryption
* February 22, 2014 - second test day
* March 22, 2014 - third test day
* April 19, 2014 - fourth test day
* May 19, 2014 - '''permanent upgrade''' to encrypted network
 
To achieve this, we need to:
* Encrypt connections between clients and servers (C2S)
* Encrypt server to server connections (S2S)

Revision as of 11:31, 2 April 2018

Clients

need to add something...

Servers

An XMPP Server is considered secure when the following (minimum) items are present:

  • The server is running with a server certificate
  • The server is configured to not allow any cleartext communications - S2S and C2S
  • The server supports XEP-198
  • ...

Step1: Get a server certificate

Let's say you run an XMPP service for example.net (jids of user@example.net), you will need to order a certificate for with a subject or alt-name of example.net (not server.example.net) from your preferred cert provider.

Step 2: Disable cleartext connections

These instructions will disable any cleartext communication between servers and client connections.

ejabberd

Make sure that your ejabberd.yml contains the following settings.

  • For ejabberd >= 17.12 list all available PEM files in this top-level option
certfiles:
 - "/etc/ejabberd/*.pem"
  • For client-to-server connections:
listen:
  -
    port: 5222
    module: ejabberd_c2s
    starttls_required: true
    # For ejabberd < 17.12
    # certfile: "/etc/ejabberd/certificate.pem"
  • For server-to-server connections:
s2s_use_starttls: required
# For ejabberd < 17.12
# s2s_certfile: "/etc/ejabberd/certificate.pem"

Further help:

Prosody

Ensure that prosody.cfg.lua contains the following settings in the global section of your config, or under the specific VirtualHost you want to secure:

 c2s_require_encryption = true
 s2s_require_encryption = true

Further help:

Metronome

In Metronome's latest development tip, encryption requirement is the default setting, as long as TLS capability is available, and no configuration change is needed. Otherwise ensure that metronome.cfg.lua contains the following settings in the global section of your configuration:

 c2s_require_encryption = true
 s2s_require_encryption = true

Further help:

Tigase

See http://www.tigase.org/content/vhost-tls-required for more details:

--vhost-tls-required = true

By default Tigase will read VHosts certificates from certs/ subdirectory match domain name against .pem filename of the certificate. Alternatively configuration for particular vhost certificate could be specified explicitly in init.properties:

basic-conf/virt-hosts-cert-<domain>=path/to/cert.pem

TLS for s2s connection is enabled by default; no option to configure it as required (certain domains can be configured to skip TLS for s2s with following configuration. For more information: --s2s-skip-tls-hostnames):

--s2s-skip-tls-hostnames = domain1,domain2

In order to have improved security Tigase features "hardened mode" which turns off workaround for SSL issues, turns off SSLv2, forces enabling more secure ciphers suites and also forces requirement of StartTLS.

--hardened-mode=true

Further help:

Openfire

  1. Open the Openfire administration console
  2. Go to Server Settings under Server
  3. Then open Security Settings in the list to the left
  4. Check both radiobuttons labeled Required
  5. Check the checkbox marked Accept self-signed certificates
  6. Done!

Further help:

Step 3: Check your XMPP Server Security

Test your XMPP security to be sure.

Encryption Manifesto (archived)

Aim: Encrypt All XMPP Connections

This page provides instructions for XMPP server administrators to secure XMPP client and server connections ready for the following ubiquitous encryption manifesto test days:

  • January 4, 2014 - first test day requiring encryption
  • February 22, 2014 - second test day
  • March 22, 2014 - third test day
  • April 19, 2014 - fourth test day
  • May 19, 2014 - permanent upgrade to encrypted network

To achieve this, we need to:

  • Encrypt connections between clients and servers (C2S)
  • Encrypt server to server connections (S2S)