2
edits
(→Prosody: Manifesto says to fallback to dialback, s2s_secure_auth would disable that) |
m (→Metronome: Correct broken links) |
||
(22 intermediate revisions by 7 users not shown) | |||
Line 1: | Line 1: | ||
== Clients == | |||
need to add something... | |||
== Servers == | |||
* | An XMPP Server is considered secure when the following (minimum) items are present: | ||
* | * The server is running with a server certificate | ||
* | * The server is configured to not allow any cleartext communications - S2S and C2S | ||
* | * The server supports XEP-198 | ||
* ... | |||
=== Step1: Get a server certificate=== | |||
Let's say you run an XMPP service for <code>example.net</code> (jids of user@example.net), you will need to order a certificate for with a subject or alt-name of <code>example.net</code> (not <code>server.example.net</code>) from your preferred cert provider. | |||
== | === Step 2: Disable cleartext connections === | ||
These instructions will disable any cleartext communication between servers and client connections. | |||
== | ==== ejabberd ==== | ||
Make sure that your ''ejabberd.yml'' contains the [http://docs.ejabberd.im/admin/guide/configuration/#listening-ports following settings]. | |||
* For ejabberd >= 17.12 list all available PEM files in this top-level option | |||
certfiles: | |||
- "/etc/ejabberd/*.pem" | |||
* For client-to-server connections: | |||
listen: | |||
- | |||
port: 5222 | |||
module: ejabberd_c2s | |||
starttls_required: true | |||
# For ejabberd < 17.12 | |||
# certfile: "/etc/ejabberd/certificate.pem" | |||
* For server-to-server connections: | |||
s2s_use_starttls: required | |||
# For ejabberd < 17.12 | |||
# s2s_certfile: "/etc/ejabberd/certificate.pem" | |||
Further help: | |||
* Homepage: [https://www.ejabberd.im/ ejabberd IM] | |||
* Chatroom: [xmpp:ejabberd@conference.process-one.net?join ejabberd@conference.process-one.net] | |||
* Documentation: [http://docs.ejabberd.im/admin/guide/ ejabberd Installation and Operation Guide] | |||
=== Prosody === | ==== Prosody ==== | ||
Ensure that ''prosody.cfg.lua'' contains the following settings in the [https://prosody.im/doc/configure#overview global section] of your config, or under the specific <code>VirtualHost</code> you want to secure: | Ensure that ''prosody.cfg.lua'' contains the following settings in the [https://prosody.im/doc/configure#overview global section] of your config, or under the specific <code>VirtualHost</code> you want to secure: | ||
c2s_require_encryption = true | c2s_require_encryption = true | ||
Line 43: | Line 47: | ||
Further help: | Further help: | ||
* Homepage: [https://prosody.im/ Prosody IM] | |||
* Chatroom: [https://prosody.im/chat/ prosody@conference.prosody.im] | * Chatroom: [https://prosody.im/chat/ prosody@conference.prosody.im] | ||
* Documentation: [https://prosody.im/doc/security Prosody.IM: Security] | * Documentation: [https://prosody.im/doc/security Prosody.IM: Security] | ||
=== Tigase === | ==== Metronome ==== | ||
In Metronome's latest development tip, encryption requirement is the default setting, as long as TLS capability | |||
is available, and no configuration change is needed. Otherwise ensure that ''metronome.cfg.lua'' contains the | |||
following settings in the global section of your configuration: | |||
c2s_require_encryption = true | |||
s2s_require_encryption = true | |||
Further help: | |||
* Homepage: [https://metronome.im Metronome IM] | |||
* Chatroom: [xmpp:grimoire@muc.metronome.im?join grimoire@muc.metronome.im] | |||
* Documentation: [https://metronome.im/documentation metronome.im/documentation] | |||
==== Tigase ==== | |||
See http://www.tigase.org/content/vhost-tls-required for more details: | See http://www.tigase.org/content/vhost-tls-required for more details: | ||
--vhost-tls-required = true | --vhost-tls-required = true | ||
Line 53: | Line 70: | ||
basic-conf/virt-hosts-cert-<domain>=path/to/cert.pem | basic-conf/virt-hosts-cert-<domain>=path/to/cert.pem | ||
TLS for s2s connection is enabled by default; no option to configure it as ''required'' (certain domains can be configured to skip TLS for s2s with following configuration. For more information: [http://www.tigase.org/content/s2s-skip-tls-hostnames --s2s-skip-tls-hostnames]): | |||
--s2s-skip-tls-hostnames = domain1,domain2 | --s2s-skip-tls-hostnames = domain1,domain2 | ||
=== Openfire === | In order to have improved security Tigase features "[http://www.tigase.org/content/hardened-mode hardened mode]" which turns off workaround for SSL issues, turns off SSLv2, forces enabling more secure ciphers suites and also forces requirement of StartTLS. | ||
? | --hardened-mode=true | ||
Further help: | |||
* Homepage: [http://www.tigase.org/ Tigase.org] | |||
* Documentation: [http://www.tigase.org/admin-guide Admin guide] | |||
==== Openfire ==== | |||
# Open the Openfire administration console | |||
# Go to '''Server Settings''' under '''Server''' | |||
# Then open '''Security Settings''' in the list to the left | |||
# Check both radiobuttons labeled '''Required''' | |||
# Check the checkbox marked ''Accept self-signed certificates'' | |||
# Done! | |||
Further help: | |||
* Homepage: [http://igniterealtime.org/projects/openfire/ Openfire] | |||
* Chatroom: [xmpp:open_chat@conference.igniterealtime.org?join open_chat@conference.igniterealtime.org] | |||
* Documentation: [http://igniterealtime.org/projects/openfire/documentation.jsp Openfire documentation] | |||
=== Step 3: Check your XMPP Server Security === | |||
[http://xmpp.net/ Test your XMPP security] to be sure. | |||
= Encryption Manifesto (archived) = | |||
== Aim: Encrypt All XMPP Connections == | |||
This page provides instructions for XMPP server administrators to secure XMPP client and server connections ready for the following [https://github.com/stpeter/manifesto/blob/master/manifesto.txt ubiquitous encryption manifesto] test days: | |||
[ | * January 4, 2014 - first test day requiring encryption | ||
* February 22, 2014 - second test day | |||
* March 22, 2014 - third test day | |||
* April 19, 2014 - fourth test day | |||
* May 19, 2014 - '''permanent upgrade''' to encrypted network | |||
To achieve this, we need to: | |||
* Encrypt connections between clients and servers (C2S) | |||
* Encrypt server to server connections (S2S) |
edits